Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get delta from more than one field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get delta from more than one field
splunkrocks2014
Communicator
07-06-2018
01:37 PM
The following is a list of items per date from different counts. How can I get the delta from count_a, count_b, and count_c based on the same item compared to the previous date? Thanks.
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-12-2018
08:10 PM
Like this:
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
| eval _time = strptime(date, "%m/%d/%Y")
| sort 0 _time
| streamstats current=f last(count*) AS prev_count* BY item
| foreach count* [ eval diff<<MATCHSTR>> = <<FIELD>> - prev_count<<MATCHSTR>> ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-06-2018
02:05 PM
Give this a try
your current search with date coming in reverse chronological order (descending order of dates)
| streamstats values(count_*) as prev_* by item
| foreach count_* [| eval delta_<<MATCHSTR>>=abs(prev_<<MATCHSTR>>-count_<<MATCHSTR>>)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkrocks2014
Communicator
07-09-2018
08:12 AM
it doesn't seem working. I can use "delta" command, but the "delta" command only apply one field. For example,
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_a
| append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_b]
| append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_c]
Get Updates on the Splunk Community!
Enhance Your Splunk App Development: New Tools & Support
UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
