Splunk Enterprise

## How to count the delta of the first and the last event

Communicator

Hi, can you help me to solve this problem, please?

I have index=index1

In a specified time range, e.g. 3 hours, I have these events. Time is a regular time point, where the electric power has been measured. ID is the name of the electrical counter, which counts the electrical measurements. Value is the measured electrical power [kW].

 Time ID Value 02.07.2020 06:00:00 counter1 1000 02.07.2020 06:00:00 counter2 2000 02.07.2020 06:00:00 counter3 3000 02.07.2020 07:00:00 counter1 2000 02.07.2020 07:00:00 counter2 3000 02.07.2020 07:00:00 counter3 4000 02.07.2020 08:00:00 counter1 3000 02.07.2020 08:00:00 counter2 4000 02.07.2020 08:00:00 counter3 5000

How can I count the consumption of each counter in this time range?

I need this output

 ID consumption counter1 2000 counter2 2000 counter3 2000

Thank you

Labels (1)
• ### using Splunk Enterprise

1 Solution
SplunkTrust

Assuming that the counter always increases and does not reset , try

``````"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low``````

Happy Splunking!
Legend

Hi @spisiakmi ,

can we say the the max value for each ID is the result you want?

if yes, try something like this:

``````index=index1
| stats max(value) AS value BY ID``````

Ciao.

Giuseppe

Communicator

no, you need to do max-min. The counter always increase.

Tags (3)
Legend

Hi @spisiakmi ,

try:

``````index=index1
| stats max(Value) as max min(Value) as min by ID
| eval delta=max-min``````

Ciao.

Giuseppe

Ultra Champion
``````| makeresults
| eval _raw="Time	ID	Value
02.07.2020 06:00:00	counter1	1000
02.07.2020 06:00:00	counter2	2000
02.07.2020 06:00:00	counter3	3000
02.07.2020 07:00:00	counter1	2000
02.07.2020 07:00:00	counter2	3000
02.07.2020 07:00:00	counter3	4000
02.07.2020 08:00:00	counter1	3000
02.07.2020 08:00:00	counter2	4000
02.07.2020 08:00:00	counter3	5000"
| stats range(Value) by ID``````

try | stats range()

Communicator

@to4kawa

ou yeah. very very elegant.

Tags (1)
SplunkTrust

Assuming that the counter always increases and does not reset , try

``````"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low``````

Happy Splunking!
Communicator

@enjith_nair you have absolutely right. It was so easy and I made it already so many times. Thank you very much.

Get Updates on the Splunk Community!

#### Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

#### Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

#### NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...