Splunk Enterprise

How to count the delta of the first and the last event

spisiakmi
Communicator

Hi, can you help me to solve this problem, please?

I have index=index1

In a specified time range, e.g. 3 hours, I have these events. Time is a regular time point, where the electric power has been measured. ID is the name of the electrical counter, which counts the electrical measurements. Value is the measured electrical power [kW]. 

TimeIDValue
02.07.2020 06:00:00counter11000
02.07.2020 06:00:00counter22000
02.07.2020 06:00:00counter33000
02.07.2020 07:00:00counter12000
02.07.2020 07:00:00counter23000
02.07.2020 07:00:00counter34000
02.07.2020 08:00:00counter13000
02.07.2020 08:00:00counter24000
02.07.2020 08:00:00counter35000

How can I count the consumption of each counter in this time range?

I need this output

IDconsumption
counter12000
counter22000
counter32000

 

Thank you

Labels (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spisiakmi ,

can we say the the max value for each ID is the result you want?

if yes, try something like this:

index=index1
| stats max(value) AS value BY ID

Ciao.

Giuseppe

0 Karma

spisiakmi
Communicator

Hi

no, you need to do max-min. The counter always increase.

Tags (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spisiakmi ,

try:

index=index1
| stats max(Value) as max min(Value) as min by ID
| eval delta=max-min

Ciao.

Giuseppe

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="Time	ID	Value
02.07.2020 06:00:00	counter1	1000
02.07.2020 06:00:00	counter2	2000
02.07.2020 06:00:00	counter3	3000
02.07.2020 07:00:00	counter1	2000
02.07.2020 07:00:00	counter2	3000
02.07.2020 07:00:00	counter3	4000
02.07.2020 08:00:00	counter1	3000
02.07.2020 08:00:00	counter2	4000
02.07.2020 08:00:00	counter3	5000"
| multikv forceheader=1
| stats range(Value) by ID

try | stats range()

spisiakmi
Communicator

@to4kawa

ou yeah. very very elegant. 

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

View solution in original post

0 Karma

spisiakmi
Communicator

@enjith_nair you have absolutely right. It was so easy and I made it already so many times. Thank you very much.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.