Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Delta for different fields?

nbharadwaj
Path Finder
‎05-11-2010 12:08 AM

I need to calculate the object allocation rate in the jvm. That value can be derived from the jvmlogs. If I subtract the "heapBeforeGC" field in one line from the “heapAfterGC” field in the previous line and divide it by the elapse time I can get a good estimate for how many bytes we allocate in the jvm per unit of time.
I need to trend that value.

Delta provides a diff between the same field in adjacent events. What can I use to diff different fields in adjacent events, and then trend that?

Here are couple of log lines:

2010-05-11T00:09:26.079+0000: 325107.330: [GC [PSYoungGen: 451418K->42291K(453312K)] 1847697K->1438569K(1874624K), 0.0203820 secs] [Times: user=0.25 sys=0.01, real=0.02 secs]

2010-05-11T00:09:29.776+0000: 325111.027: [GC [PSYoungGen: 453299K->45942K(460864K)] 1849577K->1442220K(1882176K), 0.0228840 secs] [Times: user=0.27 sys=0.01, real=0.03 secs]

I want to diff the fields in bold for successive events

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎05-14-2010 02:50 AM

UPDATE: What you want to do, is use streamstats and eval, as in the following.

| streamstats current=f first(heapAfterGC) as previousheapAfterGC | eval difference=heapBeforeGC-previousheapAfterGC

Neither delta nor autoregress will be of much use to you.

Delta makes a lot of sense, except that it seems it cant handle this case where the two fields are different. You could maybe eval the old field to the new field and somehow get a multivalued field then that has both values, but im not sure what to do then...

But It looks like the autoregress command might give you a different way:
http://www.splunk.com/base/Documentation/latest/SearchReference/Autoregress

<your search> | autoregress heapAfterGC AS previousHeapAfterGC p=1 | eval delta=heapAfterGC-previousHeapAfterGC

Autoregress was created primarily to give you moving averages (with p>1), but it seems to work fine with p=1 too.

Reply

nbharadwaj
Path Finder
‎05-14-2010 05:32 AM

Thanks that might help. However I am using 4.0.10, and it seems autoregress is available in 4.1 and above. Need to upgrade!

0 Karma
Reply

Lowell
Super Champion
‎05-11-2010 08:40 PM

You might also find eventstats useful here, if your looking for some data trending over a few events.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-11-2010 04:06 AM

Please look at the delta search command: http://www.splunk.com/base/Documentation/latest/SearchReference/Delta

0 Karma
Reply

nbharadwaj
Path Finder
‎05-13-2010 03:56 AM

:A=1:B=2
:A=10:B=20
My delta needs to be: B from time2 minus A from time1. If I eval both fields to the same variable, how do I differentiate? Can u give me an example please?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-11-2010 09:45 PM

You can rename or simply eval fields to a field with the same name before applying delta.

Reply

nbharadwaj
Path Finder
‎05-11-2010 08:41 PM

Delta only works for the same field. I am trying to subtract fieldA in current event from fieldB on previous event

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...