Summarize 15 minute intervals of cumulative input

jedatt01 · ‎01-03-2013

I have an input that's value is like an odometer so it's cumulative. I collect a sample every five minutes. If I want to create a timechart that shows the delta between those values at 15 minute intervals how would I do that? See example below.

1/3/13 00:00:00 value=1084
1/3/13 00:05:00 value=2420
1/3/13 00:10:00 value=3247

15 minute delta value = "2163"

jonuwz · ‎01-03-2013

Given this as example data :

| gentimes start=-1 increment=5m | eval _time=starttime | eval value=floor(random()/100000000) | streamstats sum(value) as total | table _time total

You can use timechart and only select the 1st instance of 'total' in any 15 minute range :

(note: if the values are always cumulative, min(total) would also be valid to get the earliest value in the 15 minute range)

... | timechart span=15m first(total) as first_value

then work out the delta between these 2 15 minute intervals :

... | delta first_value as delta

then remove the 'first_value' field from the output

... | fields - first_value

Summarize 15 minute intervals of cumulative input

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!