Re: Calculate delta of numeric field of events pai...

jkimmel6 · ‎06-04-2018

I am trying to calculate the difference between the values of fields that are grouped together by transaction. I am matching off of a specific matching field and want to see the % change of a second field. I can only see the ability to do this with duration of time between the events in a group but not the other event fields. Is this possible?

somesoni2 · ‎06-04-2018

Duration is a special output field with transaction command which gives duration based on highest and lowest value of the _time field in the events of the transaction. It doesn't provide an option to do this for other numeric fields. You can however calculate it after the transaction command using an option.

With default options in the transaction command, all fields are listed with just their unique values and sorted alphabetically (the output you get with stats values(fieldname). You would need to override this by specifying option mvlist=t (default false or f), so that in your output you'd get list of all values of that field in the original order before transaction command. Then you can use eval to calculate difference between first and last value in the multivalued field.

your base search 
| transaction ...some fields..  ..some conditions.. mvlist=t
| eval Field1Diff=mvindex(Field1,0)-mvindex(Field1,-1)

You might have to change the order of operands in the eval expression.

jkimmel6 · ‎06-05-2018

Thanks for the response. I am getting an error on the eval due to the minus sign. It says that eval can only accept numbers. The number of events also goes up significantly when I add the mvlist=t. I am trying to look for some documentation on that to see what exactly the command does.

cpetterborg · ‎06-05-2018

Use tonumber() around the mvindex() functions, e.g.:

eval Field1Diff=tonumber(mvindex(Field1,0))-tonumber(mvindex(Field1,-1))

I don't know why @someoni2 used -1 in the index. I would be using 0 and 1, so play around with the numbers that make sense to your data mvindex() takes a 0 relative index number, so 0 is the first element, 1 is the second, etc.

somesoni2 · ‎06-05-2018

Use of tonumber should fix the that type cast issue.

I used -1 mvindex function to retrieve the last value in the multivalued field. The requirement here is to find different of first and last value of those numeric fields and there may be more than 2 values available.

cpetterborg · ‎06-05-2018

I figured there was a good reason for -1. I should have realized it would be the last entry. Thanks, Somesh.

cpetterborg · ‎06-04-2018

Do you mean that you end up with a field that has more than one value (a multi-value field) due to the transaction command, so that you then want to compare the two values in the field? If this is not the case, can you provide some example data (obfuscated where necessary) and what you want to compare from that data?

jkimmel6 · ‎06-05-2018

Yes, this is the case, we end up with a field that has more than one value (a multi-value field) due to the transaction command, and we then want to compare the two values in the field

Calculate delta of numeric field of events paired together by transaction

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Calculate delta of numeric field of events paired together by transaction

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25