Solved: Re: How can I chart 24hr difference between Fields...

waldez · ‎04-08-2016

I am capturing events every minute. Within the events, there is a continuously compounding field: "FlowTotal_Running_B".

At exactly 7am CT, I need to calculate the difference between the current value and the values 24hrs prior (this is "Daily_Total").

With this value I need to create a chart that lists the previous Daily_Totals by day.

Can someone help me out?

Thanks in Advance

somesoni2 · ‎04-08-2016

Try something like this

your base search | bucket span=1m _time | where strftime(_time,"%H:%M")="07:00" | stats values(FlowTotal_Running_B) as FlowTotal_Running_B by _time | detla FlowTotal_Running_B as Daily_Total

View solution in original post

somesoni2 · ‎04-08-2016

Try something like this

your base search | bucket span=1m _time | where strftime(_time,"%H:%M")="07:00" | stats values(FlowTotal_Running_B) as FlowTotal_Running_B by _time | detla FlowTotal_Running_B as Daily_Total

waldez · ‎04-08-2016

Spot on. Thanks!

somesoni2 · ‎04-08-2016

Glad it worked for you. Don't forget to mark it answered by clicking on "Accept"

How can I chart 24hr difference between Fields at exactly 7am over the last 7 days

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases