Summarize 15 minute intervals of cumulative input

jedatt01 · ‎01-03-2013

I have an input that's value is like an odometer so it's cumulative. I collect a sample every five minutes. If I want to create a timechart that shows the delta between those values at 15 minute intervals how would I do that? See example below.

1/3/13 00:00:00 value=1084
1/3/13 00:05:00 value=2420
1/3/13 00:10:00 value=3247

15 minute delta value = "2163"

jonuwz · ‎01-03-2013

Given this as example data :

| gentimes start=-1 increment=5m | eval _time=starttime | eval value=floor(random()/100000000) | streamstats sum(value) as total | table _time total

You can use timechart and only select the 1st instance of 'total' in any 15 minute range :

(note: if the values are always cumulative, min(total) would also be valid to get the earliest value in the 15 minute range)

... | timechart span=15m first(total) as first_value

then work out the delta between these 2 15 minute intervals :

... | delta first_value as delta

then remove the 'first_value' field from the output

... | fields - first_value

Summarize 15 minute intervals of cumulative input

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Summarize 15 minute intervals of cumulative input

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem