Solved: How do I search the difference between the the sum...

andra_pietraru · ‎06-12-2015

Right now, I am computing the latest value of a field per ID per each day and then I compute the sum of it. But I would like to see the difference between e.g. sum of day 2 - sum of day 1 as the range for day 2.

My search:

msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID| timechart span=1d sum(lastSeenValue)

What I want to achieve is to find the range of field myField per day.
I tried using range(myField) but that will miss adding the last event of the previous day.
Any suggestions? Thanks!

woodcock · ‎06-12-2015

Try this:

 msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f  last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue

View solution in original post

woodcock · ‎06-12-2015

Try this:

 msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f  last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue

andra_pietraru · ‎06-14-2015

Worked like a charm. Thanks!

How do I search the difference between the the sum of latest value from two consecutive days?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!