Splunk Search
Highlighted

Delta for different fields?

Path Finder

I need to calculate the object allocation rate in the jvm. That value can be derived from the jvmlogs. If I subtract the "heapBeforeGC" field in one line from the “heapAfterGC” field in the previous line and divide it by the elapse time I can get a good estimate for how many bytes we allocate in the jvm per unit of time.
I need to trend that value.

Delta provides a diff between the same field in adjacent events. What can I use to diff different fields in adjacent events, and then trend that?

Here are couple of log lines:

2010-05-11T00:09:26.079+0000: 325107.330: [GC [PSYoungGen: 451418K->42291K(453312K)] 1847697K->1438569K(1874624K), 0.0203820 secs] [Times: user=0.25 sys=0.01, real=0.02 secs]

2010-05-11T00:09:29.776+0000: 325111.027: [GC [PSYoungGen: 453299K->45942K(460864K)] 1849577K->1442220K(1882176K), 0.0228840 secs] [Times: user=0.27 sys=0.01, real=0.03 secs]

I want to diff the fields in bold for successive events

Tags (2)
Highlighted

Re: Delta for different fields?

Splunk Employee
Splunk Employee
0 Karma
Highlighted

Re: Delta for different fields?

Path Finder

Delta only works for the same field. I am trying to subtract fieldA in current event from fieldB on previous event

0 Karma
Highlighted

Re: Delta for different fields?

Splunk Employee
Splunk Employee

You can rename or simply eval fields to a field with the same name before applying delta.

Highlighted

Re: Delta for different fields?

Path Finder

:A=1:B=2
:A=10:B=20
My delta needs to be: B from time2 minus A from time1. If I eval both fields to the same variable, how do I differentiate? Can u give me an example please?

0 Karma
Highlighted

Re: Delta for different fields?

Super Champion

You might also find eventstats useful here, if your looking for some data trending over a few events.

0 Karma
Highlighted

Re: Delta for different fields?

SplunkTrust
SplunkTrust

UPDATE: What you want to do, is use streamstats and eval, as in the following.

| streamstats current=f first(heapAfterGC) as previousheapAfterGC | eval difference=heapBeforeGC-previousheapAfterGC

Neither delta nor autoregress will be of much use to you.


Delta makes a lot of sense, except that it seems it cant handle this case where the two fields are different. You could maybe eval the old field to the new field and somehow get a multivalued field then that has both values, but im not sure what to do then...

But It looks like the autoregress command might give you a different way:
http://www.splunk.com/base/Documentation/latest/SearchReference/Autoregress

<your search> | autoregress heapAfterGC AS previousHeapAfterGC p=1 | eval delta=heapAfterGC-previousHeapAfterGC

Autoregress was created primarily to give you moving averages (with p>1), but it seems to work fine with p=1 too.

Highlighted

Re: Delta for different fields?

Path Finder

Thanks that might help. However I am using 4.0.10, and it seems autoregress is available in 4.1 and above. Need to upgrade!

0 Karma