Difference between two perfmon counters from the s...

rholm01 · ‎02-26-2021

Counter 1 - Perfmon: Inbound Data rate

Counter 2 - Perfmon:Outbound Data rate

source="Perfmon:PostilionPostbridgeInterchanges"

My values look something like this: 0.007956853689073186

I am looking for the difference between the two counters and to reduce the number to 3 places behind the decimal point, if possible.

tscroggins · ‎02-27-2021

@rholm01

This may work:

| streamstats current=f last(Value) as previous_Value by host counter
| eval delta_Value=round(Value - previous_Value, 3)

If you want the absolute difference:

| eval delta_Value=round(abs(Value - previous_Value), 3)

If you find Splunk's rounded values disagreeing with exact calculations, you can tell Splunk to use exact math to the limits of the operating environment's floating point precision:

| eval delta_Value=exact(round(abs(Value - previous_Value), 3))

Difference between two perfmon counters from the same source to identify bottleneck

chart

count

eval

stats

table

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation

Difference between two perfmon counters from the same source to identify bottleneck

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.