Solved: how to get the hourly increase or decrease of a nu...

jschikar · ‎02-16-2017

Hi,

i have hourly values and i want to see the difference to the hour before.
So instead of hour 1: 10€, hour 2: 20€, hour 3: 10€
I want the increase / decrease: hour 2: +10 hour 3: -10

I imagined this should be possible with a calculated field maybe?

Thanks in advance!

DalJeanis · ‎02-16-2017

This generates some test data -

| makeresults | eval myfield="10 20 15 30 18 40" | makemv myfield | mvexpand myfield 
| streamstats count as hour | eval _time = _time + 3600*hour | bin _time span=1h

This is what you want -

| delta myfield as difference
| table _time hour myfield difference

With this sample output -

_time                         hour      myfield   difference
2017-02-16T20:00:00.000+0000  1         10                  
2017-02-16T21:00:00.000+0000  2         20        10        
2017-02-16T22:00:00.000+0000  3         15        -5        
2017-02-16T23:00:00.000+0000  4         30        15        
2017-02-17T00:00:00.000+0000  5         18        -12       
2017-02-17T01:00:00.000+0000  6         40        22

View solution in original post

DalJeanis · ‎02-16-2017

This generates some test data -

| makeresults | eval myfield="10 20 15 30 18 40" | makemv myfield | mvexpand myfield 
| streamstats count as hour | eval _time = _time + 3600*hour | bin _time span=1h

This is what you want -

| delta myfield as difference
| table _time hour myfield difference

With this sample output -

_time                         hour      myfield   difference
2017-02-16T20:00:00.000+0000  1         10                  
2017-02-16T21:00:00.000+0000  2         20        10        
2017-02-16T22:00:00.000+0000  3         15        -5        
2017-02-16T23:00:00.000+0000  4         30        15        
2017-02-17T00:00:00.000+0000  5         18        -12       
2017-02-17T01:00:00.000+0000  6         40        22

View solution in original post

jschikar · ‎02-16-2017

That's exactly what i want!
Thanks very much, I didn't come across the delta function 🙂

DalJeanis · ‎02-16-2017

No problem. There's a lot of splunk verbs I don't know yet. Every week I learn another one or two, or a better way to use the ones I DO know...

how to get the hourly increase or decrease of a numeric field (hour 1: 10, hour 2: 20 --> increase = 10)

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >

how to get the hourly increase or decrease of a numeric field (hour 1: 10, hour 2: 20 --> increase = 10)

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey.Earn $50 in Amazon cash! Full Details! >

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >