How to get delta from more than one field

splunkrocks2014 · ‎07-06-2018

The following is a list of items per date from different counts. How can I get the delta from count_a, count_b, and count_c based on the same item compared to the previous date? Thanks.

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c

woodcock · ‎07-12-2018

Like this:

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
| eval _time = strptime(date, "%m/%d/%Y")
| sort 0 _time
| streamstats current=f last(count*) AS prev_count* BY item
| foreach count* [ eval diff<<MATCHSTR>> = <<FIELD>> - prev_count<<MATCHSTR>> ]

somesoni2 · ‎07-06-2018

Give this a try

your current search with date coming in reverse chronological order (descending order of dates)
| streamstats values(count_*) as prev_* by item
| foreach count_* [| eval delta_<<MATCHSTR>>=abs(prev_<<MATCHSTR>>-count_<<MATCHSTR>>)]

splunkrocks2014 · ‎07-09-2018

it doesn't seem working. I can use "delta" command, but the "delta" command only apply one field. For example,

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_a
 | append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_b]
 | append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_c]

How to get delta from more than one field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to get delta from more than one field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem