Re: delta command doesn't return accurate results ...

ssyed2009 · ‎02-24-2020

My search is
index="xxx" sourcetype="yyy" topic=IN*
| stats list(message_count) as message_count by _time topic

| xyseries _time topic message_count

**RESULTS**
IN-D IN-E IN-F IN-G
920699302 5140913432 7287016676 533221175
944835796 5149696236 7374961617 543221084
971821781 5157796684 7469880690 554235434
996644156 5166493227 7566048933 566376030
1021919011 5175093160 7660955334 577854421
1034750619 5183653994 7756249835 585835689
1043620281 5191941703 7840431124 593107481

Once I add delta command to get results I get accurate data for all topics except IN-F, but when I only run delta for topic IN-F Splunk returns accurate results
index="historic_forensics" sourcetype="kafka_event_count" topic=IN*
| stats list(message_count) as message_count by _time topic

| xyseries _time topic message_count
| delta IN-DT as IN-D
| delta IN-E as IN-E
| delta IN-F as IN-F
| delta IN-G as IN-G
| eval date=relative_time(_time,"-1d")
| eval _time=strftime(date, "%F") | table _time IN*

Is there something I'm doing wrong?

to4kawa · ‎02-26-2020

index="historic_forensics" sourcetype="kafka_event_count" topic=IN*
| stats list(message_count) as message_count by _time topic
| xyseries _time topic message_count
| delta IN-D
| delta IN-E
| delta IN-F
| delta IN-G
| eval date=relative_time(_time,"-1d")
| eval _time=strftime(date, "%F") 
| fields - IN*
| rename delta(*) as *
| table _time IN*

delta command doesn't return accurate results if i have multiple delta in the search

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...