Re: How do I find the delta between sum of values ...

rajapr15 · ‎01-31-2017

index=_internal type=usage idx=wineventlog | bucket span=1d _time | stats sum(b) as sum by h,_time

The above query gives the sum for "b" values over a period of one day. If I run the query for time period of two days I get two sums for "h". Difference between these two sums need to be found.

rajapr15 · ‎01-31-2017

Thanks!

I found an alternative which worked for me-

index=_internal type=usage idx=wineventlog | chart sum(b) by h date_wday | eval diff=sunday-tuesday | eval diff=abs(diff) | sort -diff

rjthibod · ‎01-31-2017

the date_* fields are not considered authoritative from an accuracy standpoint, and your query will only work as long as you have queries less than one week (non-overlapping days of the week).

rjthibod · ‎01-31-2017

Look at the last answer in this post

https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html

index=_internal type=usage idx=wineventlog 
| bucket span=1d _time 
| stats sum(b) as b by h,_time
| streamstats current=t global=f window=2 latest(b) as curr earliest(b) as next by h
| eval delta=next-curr
| timechart span=1d sum(delta) as delta by h

How do I find the delta between sum of values for two days with below query?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience