- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Atif
Explorer
05-28-2021
10:17 AM
Hi,
I'am sending some events each minute to Splunk :
TIME | ID | IN | OUT |
08:00 | A | 1 | 0 |
08:00 | B | 0 | 0 |
08:01 | A | 2 | 1 |
08:01 | B | 2 | 2 |
08:01 | C | 4 | 0 |
08:02 | A | 3 | 3 |
08:02 | B | 3 | 2 |
08:03 | A | 6 | 4 |
08:03 | B | 3 | 3 |
08:04 | A | 6 | 4 |
08:04 | B | 3 | 3 |
08:04 | C | 4 | 2 |
08:05 | A | 6 | 4 |
08:05 | B | 3 | 3 |
08:05 | C | 4 | 2 |
What i'am trying to get as a result is :
TIME | SUMIN - PREVIOUS_SUMIN | SUMOUT - PREVIOUS_SUMOUT |
08:00 | =1+0 = 1 | =0+0 = 0 |
08:01 | =2+2+4 - (1+0) = 7 | =1+2+0 - (0+0) = 3 |
08:02 | =3+3 - (2+2+4) = -2 | =3+2 - (1+2+0) = 2 |
08:03 | =6+3 - (3+3) = 3 | =4+3 - (3+2) = 2 |
08:04 | =6+3+4 - (6+3) = 4 | =4+3+2 - (4+3) = 2 |
08:05 | =6+3+4 - (6+3+4) = 0 | =4+3+2 - (4+3+2) = 0 |
After that i need to plot the two columns using a timechart by TIME
Any hints are welcome.
Thank you guys
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
06-04-2021
02:56 AM
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| fillnull value=0 previous_in previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
05-28-2021
02:20 PM
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Atif
Explorer
06-04-2021
02:04 AM
Thank you @ITWhisperer for your feedback.
I have tried your hint but i'am not getting the first line as expected :
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
06-04-2021
02:56 AM
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| fillnull value=0 previous_in previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""