Why are there issues with delta query by multiple ...

thaghost99 · ‎03-09-2022

index=testlab sourcetype=testcsv

| rex field="status detail" "(?<message_received_name>Messages Received)\\s*[0-9,]*\s*[0-9,]*\s*(?<message_received>[0-9,]*)"
| rex field=message_received mode=sed "s/,//g"
| eval myInt = tonumber(message_received)
| reverse
| delta myInt as message_received_delta
| timechart span=10m sum(message_received_delta) by Hostname

the problem i find is that when i am doing only 1 hostname at a time. it works just fine. (note the data is incremental counters only). but when i introduce additional hostnames, i see some hostnames would show a negative value. it should only show positive numbers (0 to inifinity)

again when i do single host, it works just fine. 🙂 really need help on this one.

bowesmana · ‎03-09-2022

@thaghost99

Unfortunately delta works simply on the message stream and does not support any 'by FIELD' construct.

You need to use streamstats for that - note that when splitting by fields in streamstats you need to use the global=f flag.

Take a look at the reply to your other message which shows you the streamstats construct that should work.

Kudos for experimenting! Good to learn.

Why are there issues with delta query by multiple hostnames?

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation