Splunk Search

Delta on serveral fields, separate by id

Builder

I have multiple events like :

field 1; otherTimestamp; field2;field3;field4
test;1371481920.000000,value2,valeu3...
test,1371481980.000000,value4,value5...
otherttest,1371481920.000000,value...

I want to compute a delta on the othertimestamp field, but the delta should be 0, if the field1 changed... I also want to see all other fields for each event.

I tried to use delta, but I couldn't make delta begin at 0, on field1 changed...

I've tried to put a | transaction field1 | in front of the delta, but then all the lines are in a single event, and I'd like distinct events...

Can I do it with streamstats somehow ? what is the best way

alt text

1 Solution

Legend

Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts

It shows how to create a delta split by certain fields using streamstats.

View solution in original post

Legend

Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts

It shows how to create a delta split by certain fields using streamstats.

View solution in original post

Splunk Employee
Splunk Employee
0 Karma

Legend

See streamstats docs. Remove window. I'm expecting you to do some work yourself here - I'm just giving you pointers on how to solve your problem.

0 Karma

Builder

Thank you, but how can I display all the fields from current ?

0 Karma

Legend

Something like this:

... | streamstats window=2 current=t global=f earliest(otherTimestamp) as curr, latest(otherTimestamp) as next by field1 | eval delta=next-curr
0 Karma

Builder

Could you post me an example, on how to do it, according to this example ?
( making a delta on one field, and only displaying the others)

0 Karma

Legend

No. streamstats does not remove any fields, it just writes a couple more to each event.

0 Karma

Builder

ok, but there are other fields that are different on each event... see example value2, value4, if I make a group by the id_field, I'm also loosing all other fields ?

0 Karma

Legend

well "same ID_fields" <-- that's grouping, no? streamstats ... by yourfield

0 Karma

Builder

Yes but in all examples, it is always grouping things...
I want only to compute the delta when event have the same ID_fields, but I need to see all the events...

0 Karma