Splunk Search

How to find the difference between two fields of two searches from two different times?

Path Finder

Hi,

I would like to have the difference between two fields at two different times.
So, what am I supposed to use? eval? append?

I tried this search, but there is a mistake:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv" latest=now() earliest=-15m | stats sum(RBytes) as "bRBytes" | append[search latest=-15m earliest=-30m | stats sum(RBytes) as "nRBytes"] | eval "total"=(nRBytes-bRBytes) | table total

Thank you for your help.

1 Solution

Motivator

The best way to do this might be to bucket your results into 15-minute increments, and then use delta to get the differences over the computed sums:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv"
| bucket span=15m _time 
| stats sum(RBytes) as RBytesSum by _time
| delta RBytesSum as RBytesDelta

Hope this is helpful.

View solution in original post

Motivator

The best way to do this might be to bucket your results into 15-minute increments, and then use delta to get the differences over the computed sums:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv"
| bucket span=15m _time 
| stats sum(RBytes) as RBytesSum by _time
| delta RBytesSum as RBytesDelta

Hope this is helpful.

View solution in original post