Splunk Enterprise

How to count the delta of the first and the last event

spisiakmi
Contributor

Hi, can you help me to solve this problem, please?

I have index=index1

In a specified time range, e.g. 3 hours, I have these events. Time is a regular time point, where the electric power has been measured. ID is the name of the electrical counter, which counts the electrical measurements. Value is the measured electrical power [kW]. 

TimeIDValue
02.07.2020 06:00:00counter11000
02.07.2020 06:00:00counter22000
02.07.2020 06:00:00counter33000
02.07.2020 07:00:00counter12000
02.07.2020 07:00:00counter23000
02.07.2020 07:00:00counter34000
02.07.2020 08:00:00counter13000
02.07.2020 08:00:00counter24000
02.07.2020 08:00:00counter35000

How can I count the consumption of each counter in this time range?

I need this output

IDconsumption
counter12000
counter22000
counter32000

 

Thank you

Labels (1)
0 Karma
1 Solution

renjith_nair
Legend

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spisiakmi ,

can we say the the max value for each ID is the result you want?

if yes, try something like this:

index=index1
| stats max(value) AS value BY ID

Ciao.

Giuseppe

0 Karma

spisiakmi
Contributor

Hi

no, you need to do max-min. The counter always increase.

Tags (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spisiakmi ,

try:

index=index1
| stats max(Value) as max min(Value) as min by ID
| eval delta=max-min

Ciao.

Giuseppe

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="Time	ID	Value
02.07.2020 06:00:00	counter1	1000
02.07.2020 06:00:00	counter2	2000
02.07.2020 06:00:00	counter3	3000
02.07.2020 07:00:00	counter1	2000
02.07.2020 07:00:00	counter2	3000
02.07.2020 07:00:00	counter3	4000
02.07.2020 08:00:00	counter1	3000
02.07.2020 08:00:00	counter2	4000
02.07.2020 08:00:00	counter3	5000"
| multikv forceheader=1
| stats range(Value) by ID

try | stats range()

spisiakmi
Contributor

@to4kawa

ou yeah. very very elegant. 

Tags (1)
0 Karma

renjith_nair
Legend

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

spisiakmi
Contributor

@enjith_nair you have absolutely right. It was so easy and I made it already so many times. Thank you very much.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...