Splunk Search

How to find difference between two events with streamstats?

Communicator

I have search as follow:

index=someindex_01 | stats count as incoming_counts by incoming_date | table incoming_counts incoming_date | appendcols [search index=someindex_01 | stats count as outgoing_counts by outgoing_date | table outgoing_counts ] | eval difference=incoming_counts-outgoing_counts | streamstats sum(difference) as accumulated_difference

Results as follow:

incoming_date   incoming_counts   outgoing_counts   difference   accumulated_difference
12/01/2015          230            186           44             44  
12/02/2015          176            252          -76               -32   
12/03/2015          188            204          -16               -48  <== this is where it starts the error
12/04/2015          142             86           56              8  
12/05/2015          70             115           -45              -37
12/06/2015          133            367         -234             -271

If you notice, streamstats as 'accumulated_difference' gives error value on its results when sum two negative value. Any advise whether my understanding of streamstats was wrong or it is a defect?

0 Karma
1 Solution

Legend

-48 is the correct answer. The math is (-32) + (-16). Think of it like a cumulative total. If you want difference between only 2 rows, then look at the window option

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats

View solution in original post

Legend

-48 is the correct answer. The math is (-32) + (-16). Think of it like a cumulative total. If you want difference between only 2 rows, then look at the window option

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats

View solution in original post

Communicator

Hey @sundareshr,

window option is working on my case. Appreciate that!

0 Karma