Solved: How to find the difference between two fields of t...

Yann_T · ‎01-13-2015

Hi,

I would like to have the difference between two fields at two different times.
So, what am I supposed to use? eval? append?

I tried this search, but there is a mistake:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv" latest=now() earliest=-15m | stats sum(RBytes) as "bRBytes" | append[search latest=-15m earliest=-30m | stats sum(RBytes) as "nRBytes"] | eval "total"=(nRBytes-bRBytes) | table total

Thank you for your help.

aweitzman · ‎01-13-2015

The best way to do this might be to bucket your results into 15-minute increments, and then use delta to get the differences over the computed sums:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv"
| bucket span=15m _time 
| stats sum(RBytes) as RBytesSum by _time
| delta RBytesSum as RBytesDelta

Hope this is helpful.

View solution in original post

aweitzman · ‎01-13-2015

The best way to do this might be to bucket your results into 15-minute increments, and then use delta to get the differences over the computed sums:

index=indexwifi source="/opt/scripts/inputs/ap_info.csv"
| bucket span=15m _time 
| stats sum(RBytes) as RBytesSum by _time
| delta RBytesSum as RBytesDelta

Hope this is helpful.

How to find the difference between two fields of two searches from two different times?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!