Solved: How to find the difference between two fields of t...

Yann_T · ‎01-13-2015

Hi,

I would like to have the difference between two fields at two different times.
So, what am I supposed to use? eval? append?

I tried this search, but there is a mistake:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv" latest=now() earliest=-15m | stats sum(RBytes) as "bRBytes" | append[search latest=-15m earliest=-30m | stats sum(RBytes) as "nRBytes"] | eval "total"=(nRBytes-bRBytes) | table total

Thank you for your help.

aweitzman · ‎01-13-2015

The best way to do this might be to bucket your results into 15-minute increments, and then use delta to get the differences over the computed sums:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv"
| bucket span=15m _time 
| stats sum(RBytes) as RBytesSum by _time
| delta RBytesSum as RBytesDelta

Hope this is helpful.

View solution in original post

aweitzman · ‎01-13-2015

The best way to do this might be to bucket your results into 15-minute increments, and then use delta to get the differences over the computed sums:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv"
| bucket span=15m _time 
| stats sum(RBytes) as RBytesSum by _time
| delta RBytesSum as RBytesDelta

Hope this is helpful.

How to find the difference between two fields of two searches from two different times?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms