Hi all,
I'm running a search which outputs something like this, ( where time_diff is the date the code was loaded, subtracted from the date the search is ran in days)-
Machine_Serial Bundle time_diff
75BMY43 1.1 50
1.2 25
1.3 5
1.4 3
75RAB99 1.2 30
1.3 10
1.4 5
What I am trying to achieve is to take one time_diff then subtract the proceeding time_diff so the last two time_diff's in for Machine_Serial would be 50-25=25 then 25-5=20 and so forth, up until the most current which would be 3 ( nothing is done to this one since it is currently on this level and it should grow until another Bundle is loaded). I hope that by using this method I can get the amount of time that the Bundle was loaded on a machine, with out it growing. So it would look something like this
Machine_Serial Bundle time_diff time_on_machine
75BMY43 1.1 50 25
1.2 25 20
1.3 5 2
1.4 3 3
75RAB99 1.2 30 20
1.3 10 5
1.4 5 5
Is there any way I can achieve this? Thank you and please let me know if there are any questions.
Add this:
| mvexpand time_diff
| reverse | streamstats current=f last(time_diff) AS prev_time_diff BY Machine_Serial
| reverse | eval time_on_machine = time_diff - coalesce(prev_time_diff,0)
| fields - prev_time_diff
| eventstats list(time_on_machine) AS time_on_machine list(time_diff) AS time_diff BY Machine_Serial
| dedup Machine_Serial
Add this:
| mvexpand time_diff
| reverse | streamstats current=f last(time_diff) AS prev_time_diff BY Machine_Serial
| reverse | eval time_on_machine = time_diff - coalesce(prev_time_diff,0)
| fields - prev_time_diff
| eventstats list(time_on_machine) AS time_on_machine list(time_diff) AS time_diff BY Machine_Serial
| dedup Machine_Serial
Try this
.... | eval z=mvzip(Bundle, time_diff) | mvexpand z | reverse | streamstats window=1 earliest(time_diff) as prevdur by Machine_Serial | eval delta=time_diff-prevdur | stats values(*) as * by Machine_Serial
Can you share the search syntax that you're working with now? Likely there are some clauses doing things to create these multivalue fields and if that's the case the best answers may involve changing some of that upstream search language.