Splunk Search
Highlighted

How to create a time chart to track the delta trend per group?

Path Finder

I have logs of following pattern, and want a time chart to track the per project field delta trend. As the change is small, visually delta makes more sense then actual value as a vertical bar.

[Feb 21 15:50:00 CST 2016] Project=A  field_1=100 field_2=200 field3=302 
[Feb 21 15:50:00 CST 2016] Project=B  field_1=100 field_2=305 field3=300 
[Feb 21 15:50:00 CST 2016] Project=C  field_1=100 field_2=200 field3=304 

[Feb 22 15:50:00 CST 2016] Project=A  field_1=101 field_2=204 field3=305 
[Feb 22 15:50:00 CST 2016] Project=B  field_1=104 field_2=300 field3=300 
[Feb 22 15:50:00 CST 2016] Project=C  field_1=100 field_2=200 field3=303 

[Feb 23 15:50:00 CST 2016] Project=A  field_1=102 field_2=200 field3=301 
[Feb 23 15:50:00 CST 2016] Project=B  field_1=105 field_2=303 field3=300 
[Feb 23 15:50:00 CST 2016] Project=C  field_1=100 field_2=200 field3=307 
Highlighted

Re: How to create a time chart to track the delta trend per group?

SplunkTrust
SplunkTrust

Try something like this

your current search giving fields _time Project field_1 field_2 field_3 | sort 0 Project _time| streamstats current=f window=1 values(field_*) as prev* by Project | eval delta1=if(isnull(prev1),0,field_1-prev1) | eval delta2=if(isnull(prev2),0,field_2-prev2) | eval delta3=if(isnull(prev3),0,field_3-prev3) | timechart span=1d values(delta1) as delta1 values(delta2) as delta2 values(delta3) as delta3 by Project
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.