Solved: Re: How do I search the difference between the the...

andra_pietraru · ‎06-12-2015

Right now, I am computing the latest value of a field per ID per each day and then I compute the sum of it. But I would like to see the difference between e.g. sum of day 2 - sum of day 1 as the range for day 2.

My search:

msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID| timechart span=1d sum(lastSeenValue)

What I want to achieve is to find the range of field myField per day.
I tried using range(myField) but that will miss adding the last event of the previous day.
Any suggestions? Thanks!

woodcock · ‎06-12-2015

Try this:

 msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f  last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue

View solution in original post

woodcock · ‎06-12-2015

Try this:

 msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f  last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue

andra_pietraru · ‎06-14-2015

Worked like a charm. Thanks!

How do I search the difference between the the sum of latest value from two consecutive days?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM