Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get delta from more than one field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get delta from more than one field
splunkrocks2014
Communicator
07-06-2018
01:37 PM
The following is a list of items per date from different counts. How can I get the delta from count_a, count_b, and count_c based on the same item compared to the previous date? Thanks.
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-12-2018
08:10 PM
Like this:
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
| eval _time = strptime(date, "%m/%d/%Y")
| sort 0 _time
| streamstats current=f last(count*) AS prev_count* BY item
| foreach count* [ eval diff<<MATCHSTR>> = <<FIELD>> - prev_count<<MATCHSTR>> ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-06-2018
02:05 PM
Give this a try
your current search with date coming in reverse chronological order (descending order of dates)
| streamstats values(count_*) as prev_* by item
| foreach count_* [| eval delta_<<MATCHSTR>>=abs(prev_<<MATCHSTR>>-count_<<MATCHSTR>>)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkrocks2014
Communicator
07-09-2018
08:12 AM
it doesn't seem working. I can use "delta" command, but the "delta" command only apply one field. For example,
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_a
| append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_b]
| append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_c]
Get Updates on the Splunk Community!
What the End of Support for Splunk Add-on Builder Means for You
Hello Splunk Community!
We want to share an important update regarding the future of the Splunk Add-on Builder ...
Solve, Learn, Repeat: New Puzzle Channel Now Live
Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
