Splunk Search
Highlighted

How to create a time chart to track the delta trend per group?

Path Finder

I have logs of following pattern, and want a time chart to track the per project field delta trend. As the change is small, visually delta makes more sense then actual value as a vertical bar.

[Feb 21 15:50:00 CST 2016] Project=A  field_1=100 field_2=200 field3=302 
[Feb 21 15:50:00 CST 2016] Project=B  field_1=100 field_2=305 field3=300 
[Feb 21 15:50:00 CST 2016] Project=C  field_1=100 field_2=200 field3=304 

[Feb 22 15:50:00 CST 2016] Project=A  field_1=101 field_2=204 field3=305 
[Feb 22 15:50:00 CST 2016] Project=B  field_1=104 field_2=300 field3=300 
[Feb 22 15:50:00 CST 2016] Project=C  field_1=100 field_2=200 field3=303 

[Feb 23 15:50:00 CST 2016] Project=A  field_1=102 field_2=200 field3=301 
[Feb 23 15:50:00 CST 2016] Project=B  field_1=105 field_2=303 field3=300 
[Feb 23 15:50:00 CST 2016] Project=C  field_1=100 field_2=200 field3=307 

Re: How to create a time chart to track the delta trend per group?

SplunkTrust
SplunkTrust

Try something like this

your current search giving fields _time Project field_1 field_2 field_3 | sort 0 Project _time| streamstats current=f window=1 values(field_*) as prev* by Project | eval delta1=if(isnull(prev1),0,field_1-prev1) | eval delta2=if(isnull(prev2),0,field_2-prev2) | eval delta3=if(isnull(prev3),0,field_3-prev3) | timechart span=1d values(delta1) as delta1 values(delta2) as delta2 values(delta3) as delta3 by Project