Splunk Search

How do I prevent initial delta value from breaking my visualization?

EricLloyd79
Builder

I am trying to get the delta of several key-value pairs over a period of an hour. The initial ingestion of data is from a few hours ago yet the earliest time slot for this timechart is empty and the second one has the full value (not the delta) causing my visualizations to be unreadable. I see what its doing - its basically trying to get the previous value for the earliest time slot for the time I've specified, seeing it empty and giving me the delta of the full value but I need it to recognize the previous value, instead of it being blank.

Here is a template for my query:
sourcetype=abc SCTP host="abc.com"

| timechart span=5m max(field1) as field1 max(field2) as field2
| delta field1 as field1d
| delta field2 as field2d

So my output in stats is :
FIRST ROW TIMESLOT: BLANK
SECOND ROW TIMESLOT: field1=2000 field2=5000
THIRD ROW TIMESLOT: field1=0 field2=3

So now my visualization is unreadable...

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

sourcetype=abc SCTP host="abc.com" | bucket span=5m _time | stats max(field1) as field1 max(field2) as field2 by _time
| delta field1 as field1d
| delta field2 as field2d

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

sourcetype=abc SCTP host="abc.com" | bucket span=5m _time | stats max(field1) as field1 max(field2) as field2 by _time
| delta field1 as field1d
| delta field2 as field2d
0 Karma

sundareshr
Legend

Are these values for field1d or field1? Why is the first timeslot blank for field1? I can understand it being blank for field1d. What would you like the "previous value" for the first row be?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...