Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difference values from accumulated stat

lisheridan
Explorer
‎12-07-2011 12:14 PM

I have some statistic fields that are accumulated values over time. I want to chart the difference values between n and n-1 over time.

For example, number_segments looks like:
[1, 2, 5, 7, 10, ...]

I want to get a timechart of the difference n, n-1:
[1, 1, 3, 2, 3, ...]

How can I do this with the search language?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-07-2011 12:38 PM

You'll need either delta or (more flexible and powerful) streamstats:

sourcetype=mydataseries | delta number_segments as diff | timechart diff

or

sourcetype=mydataseries 
| streamstats window=2 current=t global=f
  first(number_segments) as n last(number_segments) as n_minus_1
| eval diff=n_minus_1 - n 
| timechart diff
Reply
Solved! Jump to solution

lisheridan
Explorer
‎12-07-2011 12:49 PM

this works, too, thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-07-2011 12:36 PM

Use delta: http://www.splunk.com/base/Documentation/latest/SearchReference/Delta

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...