Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Modify values for timechat based on aggregation function

Oldreader
New Member
‎07-31-2018 03:39 AM

There is metric which accumulative counter of some event. Timechart of this metrics look like monotonic function. I cant change metrics therefor i need to calculate derivative function - increase/decrease of counter per period of time. Example query:

index=some_index host="*" |  timechart span=15s max("some_metric") by host | addtotals fieldname=cur | appendcols [search index=some_index host="*" | eval _time=_time+15 | timechart span=15s max("some_metric") by host | addtotals fieldname=prev ] | eval diff=cur-prev | timechart span=1m  max(diff) as "Aggregation"

index=some_index host="*" | timechart span=15s max("some_metric") by host | addtotals fieldname=cur - calculates total of all hosts
appendcols [search index=some_index host="*" | eval _time=_time+15 | timechart span=15s max("some_metric") by host | addtotals fieldname=prev ]- calculates total of all hosts with timeshift
Now I want to calculate subtraction. All goes fine with total, but how to calculate subtraction to each host?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎07-31-2018 10:39 AM

Try like this

index=some_index host="*" | timechart span=15s max("some_metric") as metric
| delta metric as diff
| timechart span=1m max(diff) as Aggregation
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...