Splunk Search

delta command doesn't return accurate results if i have multiple delta in the search

ssyed2009
New Member

My search is
index="xxx" sourcetype="yyy" topic=IN*
| stats list(message_count) as message_count by _time topic

| xyseries _time topic message_count

**RESULTS**
IN-D IN-E IN-F IN-G
920699302 5140913432 7287016676 533221175
944835796 5149696236 7374961617 543221084
971821781 5157796684 7469880690 554235434
996644156 5166493227 7566048933 566376030
1021919011 5175093160 7660955334 577854421
1034750619 5183653994 7756249835 585835689
1043620281 5191941703 7840431124 593107481

Once I add delta command to get results I get accurate data for all topics except IN-F, but when I only run delta for topic IN-F Splunk returns accurate results
index="historic_forensics" sourcetype="kafka_event_count" topic=IN*
| stats list(message_count) as message_count by _time topic

| xyseries _time topic message_count
| delta IN-DT as IN-D
| delta IN-E as IN-E
| delta IN-F as IN-F
| delta IN-G as IN-G
| eval date=relative_time(_time,"-1d")
| eval _time=strftime(date, "%F") | table _time IN*

Is there something I'm doing wrong?

Tags (2)
0 Karma

to4kawa
Ultra Champion
index="historic_forensics" sourcetype="kafka_event_count" topic=IN*
| stats list(message_count) as message_count by _time topic
| xyseries _time topic message_count
| delta IN-D
| delta IN-E
| delta IN-F
| delta IN-G
| eval date=relative_time(_time,"-1d")
| eval _time=strftime(date, "%F") 
| fields - IN*
| rename delta(*) as *
| table _time IN*
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...