Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get delta from more than one field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get delta from more than one field
splunkrocks2014
Communicator
07-06-2018
01:37 PM
The following is a list of items per date from different counts. How can I get the delta from count_a, count_b, and count_c based on the same item compared to the previous date? Thanks.
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-12-2018
08:10 PM
Like this:
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
| eval _time = strptime(date, "%m/%d/%Y")
| sort 0 _time
| streamstats current=f last(count*) AS prev_count* BY item
| foreach count* [ eval diff<<MATCHSTR>> = <<FIELD>> - prev_count<<MATCHSTR>> ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-06-2018
02:05 PM
Give this a try
your current search with date coming in reverse chronological order (descending order of dates)
| streamstats values(count_*) as prev_* by item
| foreach count_* [| eval delta_<<MATCHSTR>>=abs(prev_<<MATCHSTR>>-count_<<MATCHSTR>>)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkrocks2014
Communicator
07-09-2018
08:12 AM
it doesn't seem working. I can use "delta" command, but the "delta" command only apply one field. For example,
| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_a
| append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_b]
| append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| table date item count_a count_b count_c
| sort - date
| delta count_c]
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
