Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Computing column differences

ldnail_at_TI
Path Finder
‎03-09-2021 08:38 AM

This is result of a query that reflects license consumption by day

Index3/2/20213/3/20213/4/20213/5/20213/6/20213/7/20213/8/2021
index010.0180060.0181280.0180650.0180350.0179440.0179850.018042
index020.0149850.0094440.0548030.0104010.0068070.0050350.008998
index033.4689193.6742773.7865653.1331932.1510942.5481734.531934
index040.0849110.0826370.0907850.0624040.0127950.0311980.084129

 

I'm try to compute a daily difference so we can easily spot variance/trend with the result looking something like this:

Index3/2/20213/3/2021dif day 13/4/2021dif day 23/5/2021dif day 33/6/2021dif day 43/7/2021dif day 53/8/2021dif day 6
index010.0180060.018128-0.000120.0180650.000060.0180350.000030.0179440.000090.017985-0.000040.018042-0.00006
index020.0149850.0094440.0055410.054803-0.045360.0104010.044400.0068070.003590.0050350.001770.008998-0.00396
index033.4689193.674277-0.205363.786565-0.112293.1331930.653372.1510940.982102.548173-0.397084.531934-1.98376
index040.0849110.0826370.0022740.090785-0.008150.0624040.028380.0127950.049610.031198-0.018400.084129-0.05293

 

The query I started from is below & I've tried 20 ways to Sunday get a difference column, but no joy

index=_internal source=*license_usage.log* type=Usage earliest=-7d@d latest=@d host=licenseserver
| eval GB=round(b/1024/1024/1024,6)
| bucket span=1d _time
| eval Time=strftime(_time,"%m/%d/%y")
| chart sum(GB) AS volume_GB over Time by idx limit=0
| transpose 0 column_name=Index header_field=Time

 

I'm not married to chart or transpose, its just where it all started.

 

Any suggestions?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2021 12:12 AM

Try something like this

index=_internal source=*license_usage.log* type=Usage earliest=-7d@d latest=@d host=licenseserver
| eval GB=round(b/1024/1024/1024,6)
| bucket span=1d _time
| stats sum(GB) as volume_GB by idx _time
| streamstats window=2 list(volume_GB) as diff by idx
| eval diff=tonumber(mvindex(diff,0)) - tonumber(mvindex(diff,1))
| eval volume_GB=mvappend(volume_GB,diff)
| xyseries idx _time volume_GB
| foreach * [ eval <<FIELD>>_diff=if(mvcount('<<FIELD>>') > 1, mvindex('<<FIELD>>', 1), null) | eval <<FIELD>>=mvindex('<<FIELD>>',0) ]
| transpose 0 header_field=idx
| eval column=if(match(column,"_"),strftime(mvindex(split(column,"_"),0),"%m/%d/%Y diff"),strftime(column,"%m/%d/%Y"))
| transpose 0 header_field=column

View solution in original post

Reply
Solved! Jump to solution

ldnail_at_TI
Path Finder
‎03-11-2021 07:47 AM

that did the trick... thanks a bunch.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2021 12:12 AM

Try something like this

index=_internal source=*license_usage.log* type=Usage earliest=-7d@d latest=@d host=licenseserver
| eval GB=round(b/1024/1024/1024,6)
| bucket span=1d _time
| stats sum(GB) as volume_GB by idx _time
| streamstats window=2 list(volume_GB) as diff by idx
| eval diff=tonumber(mvindex(diff,0)) - tonumber(mvindex(diff,1))
| eval volume_GB=mvappend(volume_GB,diff)
| xyseries idx _time volume_GB
| foreach * [ eval <<FIELD>>_diff=if(mvcount('<<FIELD>>') > 1, mvindex('<<FIELD>>', 1), null) | eval <<FIELD>>=mvindex('<<FIELD>>',0) ]
| transpose 0 header_field=idx
| eval column=if(match(column,"_"),strftime(mvindex(split(column,"_"),0),"%m/%d/%Y diff"),strftime(column,"%m/%d/%Y"))
| transpose 0 header_field=column
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...