Splunk Search

understanding how delta and streamstats handles no value


This is my search to simulate the data i need to illustrate:

| makeresults 
     | eval data = "
1-Sep    7820592;
2-Sep    7821163;
3-Sep    7821111;
4-Sep    7822068;
5-Sep    7822669;
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)"
     | fields + Date kpi1 | fields - _time
     | search kpi1 = * 
     | eval "kpi1"=if(Date=="3-Sep","",'kpi1')
     | delta kpi1 as kpi1_diff
     | streamstats range(kpi1) as kpi1_ss window=2

which gives this output: (I am interested in how splunk handles no data i.e. no value. e.g. 3-sep has no value below )

    Date    kpi1    kpi1_diff   kpi1_ss
1   1-Sep   7820592       0
2   2-Sep   7821163 571 571
3   3-Sep                    0
4   4-Sep   7822068 905 0
5   5-Sep   7822669 601 601

I am trying to understand how streamstats and delta deals with no value
In this case:

streamstats puts a zero, where there is no value in that row, and a zero in the row after it, then it resumes getting the difference. So it seems it returns zero if one of the 2 values is a no value.

delta is different, if there is a no value, it puts a no value in the corresponding slot and then it resumes getting the difference with the previous available value.

Now my question:
*Can I get streamstats to behave like delta? *

looking here allnum=true might be the answer

Tags (2)
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!