Re: How to get delta from more than one field

splunkrocks2014 · ‎07-06-2018

The following is a list of items per date from different counts. How can I get the delta from count_a, count_b, and count_c based on the same item compared to the previous date? Thanks.

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c

woodcock · ‎07-12-2018

Like this:

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
| eval _time = strptime(date, "%m/%d/%Y")
| sort 0 _time
| streamstats current=f last(count*) AS prev_count* BY item
| foreach count* [ eval diff<<MATCHSTR>> = <<FIELD>> - prev_count<<MATCHSTR>> ]

somesoni2 · ‎07-06-2018

Give this a try

your current search with date coming in reverse chronological order (descending order of dates)
| streamstats values(count_*) as prev_* by item
| foreach count_* [| eval delta_<<MATCHSTR>>=abs(prev_<<MATCHSTR>>-count_<<MATCHSTR>>)]

splunkrocks2014 · ‎07-09-2018

it doesn't seem working. I can use "delta" command, but the "delta" command only apply one field. For example,

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_a
 | append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_b]
 | append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_c]

How to get delta from more than one field

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Are you a member of the Splunk Community?

How to get delta from more than one field

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1