I have some statistic fields that are accumulated values over time. I want to chart the difference values between n and n-1 over time.
For example, number_segments looks like:
[1, 2, 5, 7, 10, ...]
I want to get a timechart of the difference n, n-1:
[1, 1, 3, 2, 3, ...]
How can I do this with the search language?
You'll need either delta
or (more flexible and powerful) streamstats
:
sourcetype=mydataseries | delta number_segments as diff | timechart diff
or
sourcetype=mydataseries
| streamstats window=2 current=t global=f
first(number_segments) as n last(number_segments) as n_minus_1
| eval diff=n_minus_1 - n
| timechart diff
this works, too, thanks!