Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the timechart of difference value .

Padma12345
Explorer
‎06-30-2016 08:39 PM

I have one field abc which contain values of different parameter and it goes on increasing gradually. I have to add the values present in the field abc at two different intervals and then the difference of that two values. I want the timechart of that difference value.
Following is the example

At 12.00 AM                           At 12.00 PM
def         abc                       def         abc
xxx         11                        xxx         13
xxy         23                        xxy         25
xyy         09                        xyy         11
yyy         45                        yyy         48

What I have to do is add values of field abc which contain x at 12 am & 12 pm and then want to show timechart of the difference. i.e at 12 am: 11+23+09=43 & at 12 pm: 13+25+11=49, then 49-43= 7, then timechart this value.

Any help is appreciated..

Thanks.....!

Padma

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2016 08:04 AM

I am taking a VERY loose interpretation of the timechart portion of your request (otherwise it doesn't make sense). Like this:

... stats min(_time) AS startTime max(_time) AS endTime sum(xxx) AS xxx sum(xxy) AS xxy | eval diff=abs(xxx-xxy)
0 Karma
Reply

sundareshr
Legend
‎07-04-2016 07:46 AM

Try this

index=* def="*x*" abc=* | timechart span=15m sum(abc) as total | delta total as delta | fields - total
0 Karma
Reply

Padma12345
Explorer
‎07-03-2016 11:45 PM

Please find the below raw events

7/4/16
11:30:00.000 AM
"1467612000.000","-","xxx","37211.2265625"
7/4/16
11:30:00.000 AM
"1467612000.000","-","xxy","45632.70703125"

7/4/16
11:15:00.000 AM
"1467611100.000","-","xxx","37208.40234375"
7/4/16
11:15:00.000 AM
"1467611100.000","-","xxy","45629.41015625"

I want to add value of xxx & xxy at 11.15 & 11.30 am and then need to plot the timechart of difference value.

Thanks

Padma

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-01-2016 07:07 PM

I started thinking streamstats, then foreach, but finally settled on exactly what woodcock said - a few raw events would go very far in helping us understand the question better and without them we're more or less blind.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2016 08:53 AM

Show me 2 raw events and I will give you an answer. I do not understand the raw event format.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...