Splunk Search

delta command doesn't return accurate results if i have multiple delta in the search

ssyed2009
New Member

My search is
index="xxx" sourcetype="yyy" topic=IN*
| stats list(message_count) as message_count by _time topic

| xyseries _time topic message_count

**RESULTS**
IN-D IN-E IN-F IN-G
920699302 5140913432 7287016676 533221175
944835796 5149696236 7374961617 543221084
971821781 5157796684 7469880690 554235434
996644156 5166493227 7566048933 566376030
1021919011 5175093160 7660955334 577854421
1034750619 5183653994 7756249835 585835689
1043620281 5191941703 7840431124 593107481

Once I add delta command to get results I get accurate data for all topics except IN-F, but when I only run delta for topic IN-F Splunk returns accurate results
index="historic_forensics" sourcetype="kafka_event_count" topic=IN*
| stats list(message_count) as message_count by _time topic

| xyseries _time topic message_count
| delta IN-DT as IN-D
| delta IN-E as IN-E
| delta IN-F as IN-F
| delta IN-G as IN-G
| eval date=relative_time(_time,"-1d")
| eval _time=strftime(date, "%F") | table _time IN*

Is there something I'm doing wrong?

Tags (2)
0 Karma

to4kawa
SplunkTrust
SplunkTrust
index="historic_forensics" sourcetype="kafka_event_count" topic=IN*
| stats list(message_count) as message_count by _time topic
| xyseries _time topic message_count
| delta IN-D
| delta IN-E
| delta IN-F
| delta IN-G
| eval date=relative_time(_time,"-1d")
| eval _time=strftime(date, "%F") 
| fields - IN*
| rename delta(*) as *
| table _time IN*
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!