Splunk Search

Perform SUM and DIFF on multiple fields

Atif
Explorer

Hi,

I'am sending some events each minute to Splunk :

 

TIMEIDINOUT
08:00A10
08:00B00
    
08:01A21
08:01B22
08:01C40
    
08:02A33
08:02B32
    
08:03A64
08:03B33
    
08:04A64
08:04B33
08:04C42
    
08:05A64
08:05B33
08:05C42

 

What i'am trying to get as a result is :

TIMESUMIN - PREVIOUS_SUMINSUMOUT - PREVIOUS_SUMOUT
08:00=1+0 = 1=0+0 = 0
08:01=2+2+4 - (1+0) = 7=1+2+0 - (0+0) = 3
08:02=3+3 - (2+2+4) = -2=3+2 - (1+2+0) = 2
08:03=6+3 - (3+3) = 3=4+3 - (3+2) = 2
08:04=6+3+4 - (6+3) = 4=4+3+2 - (4+3) = 2
08:05=6+3+4 - (6+3+4) = 0=4+3+2 - (4+3+2) = 0

 

After that i need to plot the two columns using a timechart by TIME

 

Any hints are welcome.

 

Thank you guys

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| fillnull value=0 previous_in previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
0 Karma

Atif
Explorer

Thank you @ITWhisperer  for your feedback.

I have tried your hint but i'am not getting the first line as expected :

Atif_1-1622797387715.png

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1m time
| stats sum(in) as in sum(out) as out by time
| streamstats window=1 current=f values(in) as previous_in values(out) as previous_out
| fillnull value=0 previous_in previous_out
| eval in_change=in-previous_in
| eval out_change=out-previous_out
| table time in_change out_change
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...