Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the timechart of difference value .

Padma12345
Explorer
‎06-30-2016 08:39 PM

I have one field abc which contain values of different parameter and it goes on increasing gradually. I have to add the values present in the field abc at two different intervals and then the difference of that two values. I want the timechart of that difference value.
Following is the example

At 12.00 AM                           At 12.00 PM
def         abc                       def         abc
xxx         11                        xxx         13
xxy         23                        xxy         25
xyy         09                        xyy         11
yyy         45                        yyy         48

What I have to do is add values of field abc which contain x at 12 am & 12 pm and then want to show timechart of the difference. i.e at 12 am: 11+23+09=43 & at 12 pm: 13+25+11=49, then 49-43= 7, then timechart this value.

Any help is appreciated..

Thanks.....!

Padma

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2016 08:04 AM

I am taking a VERY loose interpretation of the timechart portion of your request (otherwise it doesn't make sense). Like this:

... stats min(_time) AS startTime max(_time) AS endTime sum(xxx) AS xxx sum(xxy) AS xxy | eval diff=abs(xxx-xxy)
0 Karma
Reply

sundareshr
Legend
‎07-04-2016 07:46 AM

Try this

index=* def="*x*" abc=* | timechart span=15m sum(abc) as total | delta total as delta | fields - total
0 Karma
Reply

Padma12345
Explorer
‎07-03-2016 11:45 PM

Please find the below raw events

7/4/16
11:30:00.000 AM
"1467612000.000","-","xxx","37211.2265625"
7/4/16
11:30:00.000 AM
"1467612000.000","-","xxy","45632.70703125"

7/4/16
11:15:00.000 AM
"1467611100.000","-","xxx","37208.40234375"
7/4/16
11:15:00.000 AM
"1467611100.000","-","xxy","45629.41015625"

I want to add value of xxx & xxy at 11.15 & 11.30 am and then need to plot the timechart of difference value.

Thanks

Padma

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-01-2016 07:07 PM

I started thinking streamstats, then foreach, but finally settled on exactly what woodcock said - a few raw events would go very far in helping us understand the question better and without them we're more or less blind.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2016 08:53 AM

Show me 2 raw events and I will give you an answer. I do not understand the raw event format.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...