Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Perform SUM and DIFF on multiple fields

Atif
Explorer
‎05-28-2021 10:17 AM

Hi,

I'am sending some events each minute to Splunk :

 

TIMEIDINOUT
08:00A10
08:00B00
    
08:01A21
08:01B22
08:01C40
    
08:02A33
08:02B32
    
08:03A64
08:03B33
    
08:04A64
08:04B33
08:04C42
    
08:05A64
08:05B33
08:05C42

 

What i'am trying to get as a result is :

TIMESUMIN - PREVIOUS_SUMINSUMOUT - PREVIOUS_SUMOUT
08:00=1+0 = 1=0+0 = 0
08:01=2+2+4 - (1+0) = 7=1+2+0 - (0+0) = 3
08:02=3+3 - (2+2+4) = -2=3+2 - (1+2+0) = 2
08:03=6+3 - (3+3) = 3=4+3 - (3+2) = 2
08:04=6+3+4 - (6+3) = 4=4+3+2 - (4+3) = 2
08:05=6+3+4 - (6+3+4) = 0=4+3+2 - (4+3+2) = 0

 

After that i need to plot the two columns using a timechart by TIME

 

Any hints are welcome.

 

Thank you guys

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-04-2021 02:56 AM 
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| fillnull value=0 previous_in previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-28-2021 02:20 PM 
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
0 Karma
Reply
Solved! Jump to solution

Atif
Explorer
‎06-04-2021 02:04 AM

Thank you @ITWhisperer  for your feedback.

I have tried your hint but i'am not getting the first line as expected :

Atif_1-1622797387715.png

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-04-2021 02:56 AM 
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| fillnull value=0 previous_in previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...