- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I find the delta with the previous count va...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I find the delta with the previous count value for each host?
Hi,
I have data which always gives me a cumulative count for each server with time as:
<search>| timechart span=4m values(value) as TotalCount by Host
Creates results as below
_time Host1 Host2
2015-08-13 09:04:00 3448034.0 3310489.0
2015-08-13 09:08:00 3448073.0 3310525.0
2015-08-13 09:12:00 3448106.0 3310561.0
2015-08-13 09:16:00 3448139.0 3310594.0
I want to find delta with previous value for each host and want in similar table format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A solution could be a scheduled search every 5 minutes
.... earliest=-5m@m latest=@m | max(value) as value | convert timeformat="%Y-%m-%d %H:%M" ctime(_time) AS this_time | inputlookup history value this_time OUTPUNEW value as old_value, this_time | eval delta=value-old_value | outputlookup append=true history
would give you a lookup table with the deltas, but I guess there is room for improvement in this solution 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can use streamstats to solve this. Try to use something like this after the search that leads to the results you showed in your post:
| streamstats current=f last(Host1) as Host1_old last(Host2) as Host2_old | eval delta1=Host1 - Host1_old | eval delta2=Host2 - Host2_old
What happens here is:
1. The part | streamstats current=f last(Host1) as Host1_old gives you the previos event of the Host value
2. The part | eval delta1=Host1 - Host1_old calculates the delta from the current Host value and the previous Host value
Greetings
Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can have any number of host in output so while executing query it should be generate difference between previous reading automatically
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all your hosts have a common prefix you can use something like | stats last(Host*) as Host*. Then you can use a foreach to calculate the delta of all Host fields.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
