Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculate difference

AB24
Loves-to-Learn Everything
‎05-08-2023 11:39 PM
 
Labels (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2023 12:12 AM

Try something like this

| where Device_Info == "Device Number" OR match(Device_Info,"\d+")
| streamstats count(eval(Device_Info=="Device Number")) as Inspection_Count
| stats values(eval(if(match(Device_Info, "\d+"),Device_Info,null()))) as Device_Info range(_time) as total_duration by Inspection_Count
| where total_duration > 0
| streamstats reset_on_change=t count as Inspection_Count by Device_Info
| eventstats sum(total_duration) as sum_duration by Device_Info
| eval total_duration = total_duration / 60
| eval sum_duration = sum_duration / 60
0 Karma
Reply

AB24
Loves-to-Learn Everything
‎05-09-2023 02:06 AM

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2023 02:13 AM

Remove the reset_on_change=t

0 Karma
Reply

AB24
Loves-to-Learn Everything
‎05-09-2023 02:40 AM

Some Device_Info are merging in the result instead of one device_info per row it is two device_info per row

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2023 02:45 AM

Perhaps if you shared some of your real events and results and your SPL, we might be able to advise you further. Vague descriptions of the issue and fake data means we can only offer solutions based what you have provided, and to that extent, the solution provided does work (but only with the fake data you provided)!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...