Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count the delta of the first and the last event

spisiakmi
Communicator
‎07-02-2020 02:11 AM

Hi, can you help me to solve this problem, please?

I have index=index1

In a specified time range, e.g. 3 hours, I have these events. Time is a regular time point, where the electric power has been measured. ID is the name of the electrical counter, which counts the electrical measurements. Value is the measured electrical power [kW]. 

TimeIDValue
02.07.2020 06:00:00counter11000
02.07.2020 06:00:00counter22000
02.07.2020 06:00:00counter33000
02.07.2020 07:00:00counter12000
02.07.2020 07:00:00counter23000
02.07.2020 07:00:00counter34000
02.07.2020 08:00:00counter13000
02.07.2020 08:00:00counter24000
02.07.2020 08:00:00counter35000

How can I count the consumption of each counter in this time range?

I need this output

IDconsumption
counter12000
counter22000
counter32000

 

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-02-2020 02:58 AM

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-02-2020 04:23 AM

Hi @spisiakmi ,

can we say the the max value for each ID is the result you want?

if yes, try something like this:

index=index1
| stats max(value) AS value BY ID

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎07-02-2020 04:30 AM

Hi

no, you need to do max-min. The counter always increase.

Tags (3)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-02-2020 04:46 AM

Hi @spisiakmi ,

try:

index=index1
| stats max(Value) as max min(Value) as min by ID
| eval delta=max-min

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-02-2020 04:34 AM 
| makeresults 
| eval _raw="Time	ID	Value
02.07.2020 06:00:00	counter1	1000
02.07.2020 06:00:00	counter2	2000
02.07.2020 06:00:00	counter3	3000
02.07.2020 07:00:00	counter1	2000
02.07.2020 07:00:00	counter2	3000
02.07.2020 07:00:00	counter3	4000
02.07.2020 08:00:00	counter1	3000
02.07.2020 08:00:00	counter2	4000
02.07.2020 08:00:00	counter3	5000"
| multikv forceheader=1
| stats range(Value) by ID

try | stats range()

Reply
Solved! Jump to solution

spisiakmi
Communicator
‎07-02-2020 04:39 AM

@to4kawa

ou yeah. very very elegant. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-02-2020 02:58 AM

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎07-02-2020 04:17 AM

@enjith_nair you have absolutely right. It was so easy and I made it already so many times. Thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...