Solved: streamstats and delta

tb5821 · ‎03-26-2018

My search brings back data in a table like so:

_time|product|count
8/15/15 08:00:00|apples|500
8/15/15 08:00:00|oranges|800
8/15/15 08:00:00|plums|200
8/15/15 08:00:00|peaches|275

What I want is to have splunk compute the diff between the latest value above and the one just before it per product. So it ends up like:

8/15/15 08:00:00|apples|500|+50
8/15/15 08:00:00|oranges|800|+200
8/15/15 08:00:00|plums|200|-2
8/15/15 08:00:00|peaches|275|+80

Pretty sure I need to use streamstats and delta but can't get the combo right.

kmaron · ‎03-26-2018

it sounds like your question is like this one: https://answers.splunk.com/answers/329534/how-to-determine-the-delta-between-events-based-on.html

So based on that answer you could try this:

 | streamstats current=f last(count) as last_count by product
 | rename count as current_count
 | eval delta = last_count - current_count
 | table _time product current_count delta

View solution in original post

kmaron · ‎03-26-2018

it sounds like your question is like this one: https://answers.splunk.com/answers/329534/how-to-determine-the-delta-between-events-based-on.html

So based on that answer you could try this:

 | streamstats current=f last(count) as last_count by product
 | rename count as current_count
 | eval delta = last_count - current_count
 | table _time product current_count delta

streamstats and delta

Get More Out of Your Security Practice With a SIEM

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

Enterprise Security Content Update (ESCU) | New Releases