Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count the delta of the first and the last event

spisiakmi
Contributor
‎07-02-2020 02:11 AM

Hi, can you help me to solve this problem, please?

I have index=index1

In a specified time range, e.g. 3 hours, I have these events. Time is a regular time point, where the electric power has been measured. ID is the name of the electrical counter, which counts the electrical measurements. Value is the measured electrical power [kW]. 

TimeIDValue
02.07.2020 06:00:00counter11000
02.07.2020 06:00:00counter22000
02.07.2020 06:00:00counter33000
02.07.2020 07:00:00counter12000
02.07.2020 07:00:00counter23000
02.07.2020 07:00:00counter34000
02.07.2020 08:00:00counter13000
02.07.2020 08:00:00counter24000
02.07.2020 08:00:00counter35000

How can I count the consumption of each counter in this time range?

I need this output

IDconsumption
counter12000
counter22000
counter32000

 

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-02-2020 02:58 AM

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-02-2020 04:23 AM

Hi @spisiakmi ,

can we say the the max value for each ID is the result you want?

if yes, try something like this:

index=index1
| stats max(value) AS value BY ID

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎07-02-2020 04:30 AM

Hi

no, you need to do max-min. The counter always increase.

Tags (3)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-02-2020 04:46 AM

Hi @spisiakmi ,

try:

index=index1
| stats max(Value) as max min(Value) as min by ID
| eval delta=max-min

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-02-2020 04:34 AM 
| makeresults 
| eval _raw="Time	ID	Value
02.07.2020 06:00:00	counter1	1000
02.07.2020 06:00:00	counter2	2000
02.07.2020 06:00:00	counter3	3000
02.07.2020 07:00:00	counter1	2000
02.07.2020 07:00:00	counter2	3000
02.07.2020 07:00:00	counter3	4000
02.07.2020 08:00:00	counter1	3000
02.07.2020 08:00:00	counter2	4000
02.07.2020 08:00:00	counter3	5000"
| multikv forceheader=1
| stats range(Value) by ID

try | stats range()

Reply
Solved! Jump to solution

spisiakmi
Contributor
‎07-02-2020 04:39 AM

@to4kawa

ou yeah. very very elegant. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-02-2020 02:58 AM

@spisiakmi,

Assuming that the counter always increases and does not reset , try

"your search"|stats max(Value) as high,min(Value) as low by ID
|eval consumption=high-low

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎07-02-2020 04:17 AM

@enjith_nair you have absolutely right. It was so easy and I made it already so many times. Thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...