When use the delta
command I get results like this
Value delta(Value) what-I-want-it-to-be
1 0 /
1 -1 0
2 -3 1
5 -4 3
9 / 4
Here, delta(n) is value(n)-value(n+1).. that is to say it is calculating the difference of the next value, not the previous.
I want it to be delta(n) = value(n)-value(n-1).
This is normally what I think of when someone says "delta"... the change since the last value, not the change that is about to happen.
Am I using delta wrong? Is there away to use it to calculate past change, not future change?
Returns negative values looking ahead, sorted oldest to newest
eventype=myevents | delta Value | sort + _time
Returns positive values looking back
eventype=myevents | sort + _time | delta Value
I don't have an instance of Splunk to test on at the moment, but can you sort the data so its order is reversed prior to the delta command?
Hi @neiljpeterson
Both previous comments on this question are now answers so you can accept whichever one helped solve your issue 🙂 Glad you found what you needed on Splunk Answers!
Patrick
I don't have an instance of Splunk to test on at the moment, but can you sort the data so its order is reversed prior to the delta command?
:facepalm: Duh! Brain is not working today. That does the trick. Please post this as an answer so I can accept it! Thanks!
Hi @neiljpeterson
Would you be able to paste the search query you're using? It'll help folks with giving you an exact answer and also help people with the same problem. A similar question was asked before. Check this out to see if the solution can solve your problem as well. http://answers.splunk.com/answers/152960/how-to-edit-search-so-delta-command-does-not-return-negativ...