Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculate same event in two different times

tdnguyen1
Explorer
‎11-09-2011 10:02 AM

Hi,

I am new two splunk. I am wondering is there a way to calculate the delta of RXdropped from 5 minutes apart.

10:50:00 RXdropped
123

10:55:00 RXdropped
456

Tags (1)
Reply

tdnguyen1
Explorer
‎11-09-2011 01:30 PM

I did this it seems to work for now.

index=os sourcetype="interfaces" host="prdcg4mdbl03.oss.prd" | multikv | eval PercError_PacketLoss=round(((Error * 100)/(RXbytes+TXbytes)),1) | eval StatusError = if(PercError_PacketLoss >= 1.0, "WARNING", "OK") | eval PercRX_PacketLoss=round(((RXdropped * 100)/RXbytes),1) | eval PercTX_PacketLoss=round(((TXdropped * 100)/TXbytes),1) | eval StatusRX = if(PercRX_PacketLoss >= 1.0, "WARNING", "OK") | eval StatusTX = if(PercTX_PacketLoss >= 1.0, "WARNING", "OK") | table time Name StatusError PercError_PacketLoss StatusRX PercRX_PacketLoss StatusTX PercTX_PacketLoss

Reply

Jon_Webster
Splunk Employee
Splunk Employee
‎11-09-2011 10:27 AM

Hello! Welcome to Splunk!

If you download the *NIX App, you'll find there is a dashboard for network traffic.
Here's the link: http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux

This is the search that the *nix app uses:

index="os" sourcetype="interfaces" host=*  | multikv fields name, inetAddr, RXbytes, TXbytes  | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name   | eval time=_time  | strcat Name "-" inetAddr "@" host Interface_Host  | eval RX_Thruput = lastRX-RXbytes  | eval TX_Thruput = lastTX-TXbytes  | timechart eval(sum(TX_Thruput)/dc(time)) by Interface_Host

In the "streamstats" function, it's creating two new fields: last(Txbytes) as lastTX, and last(Rxbytes) as lastRX. Later it subtracts the last value from the current value with:
Eval RX_Thruput=lastRX-Rxbytes

The last() function gets the most recent value of a field and adds it to the current event. Remember that the default order of events in Splunk is reverse chronological order, so when an event gets the "last" value of a field it's getting it from a later time, so subtracting the "current" value from the "last" value give us the difference, which is the throughput for the period.

Best regards,
Jon

0 Karma
Reply

Jon_Webster
Splunk Employee
Splunk Employee
‎11-09-2011 03:25 PM

It is calculating the delta.
This eval statement subtracts Rxbytes from lastRX and assigns the result to RX_Thruput. 

eval RX_Thruput=lastRX-Rxbytes

In other words: 

lastRX (456) - Rxbytes (123) = RX_Thruput (333)

It's not using RXdropped, but if you use RXdropped you'll get the results you want.

0 Karma
Reply

tdnguyen1
Explorer
‎11-09-2011 01:30 PM

For some reasons, I could not get the right result using your query.

0 Karma
Reply

tdnguyen1
Explorer
‎11-09-2011 11:23 AM

Hi Jon,

Thanks for your fast response. I really appreciated that. The result is not what I expected. I am looking for the delta. Something like this.

456 - 123 = 333

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...