I have search as follow:
index=someindex_01 | stats count as incoming_counts by incoming_date | table incoming_counts incoming_date | appendcols [search index=someindex_01 | stats count as outgoing_counts by outgoing_date | table outgoing_counts ] | eval difference=incoming_counts-outgoing_counts | streamstats sum(difference) as accumulated_difference
Results as follow:
incoming_date incoming_counts outgoing_counts difference accumulated_difference
12/01/2015 230 186 44 44
12/02/2015 176 252 -76 -32
12/03/2015 188 204 -16 -48 <== this is where it starts the error
12/04/2015 142 86 56 8
12/05/2015 70 115 -45 -37
12/06/2015 133 367 -234 -271
If you notice, streamstats as 'accumulated_difference' gives error value on its results when sum two negative value. Any advise whether my understanding of streamstats was wrong or it is a defect?
-48 is the correct answer. The math is (-32) + (-16)
. Think of it like a cumulative total. If you want difference between only 2 rows, then look at the window
option
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats
-48 is the correct answer. The math is (-32) + (-16)
. Think of it like a cumulative total. If you want difference between only 2 rows, then look at the window
option
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats
Hey @sundareshr,
window option is working on my case. Appreciate that!