- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to incrementally subtract values to calculate ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm running a search which outputs something like this, ( where time_diff is the date the code was loaded, subtracted from the date the search is ran in days)-
Machine_Serial Bundle time_diff
75BMY43 1.1 50
1.2 25
1.3 5
1.4 3
75RAB99 1.2 30
1.3 10
1.4 5
What I am trying to achieve is to take one time_diff then subtract the proceeding time_diff so the last two time_diff's in for Machine_Serial would be 50-25=25 then 25-5=20 and so forth, up until the most current which would be 3 ( nothing is done to this one since it is currently on this level and it should grow until another Bundle is loaded). I hope that by using this method I can get the amount of time that the Bundle was loaded on a machine, with out it growing. So it would look something like this
Machine_Serial Bundle time_diff time_on_machine
75BMY43 1.1 50 25
1.2 25 20
1.3 5 2
1.4 3 3
75RAB99 1.2 30 20
1.3 10 5
1.4 5 5
Is there any way I can achieve this? Thank you and please let me know if there are any questions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this:
| mvexpand time_diff
| reverse | streamstats current=f last(time_diff) AS prev_time_diff BY Machine_Serial
| reverse | eval time_on_machine = time_diff - coalesce(prev_time_diff,0)
| fields - prev_time_diff
| eventstats list(time_on_machine) AS time_on_machine list(time_diff) AS time_diff BY Machine_Serial
| dedup Machine_Serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this:
| mvexpand time_diff
| reverse | streamstats current=f last(time_diff) AS prev_time_diff BY Machine_Serial
| reverse | eval time_on_machine = time_diff - coalesce(prev_time_diff,0)
| fields - prev_time_diff
| eventstats list(time_on_machine) AS time_on_machine list(time_diff) AS time_diff BY Machine_Serial
| dedup Machine_Serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
.... | eval z=mvzip(Bundle, time_diff) | mvexpand z | reverse | streamstats window=1 earliest(time_diff) as prevdur by Machine_Serial | eval delta=time_diff-prevdur | stats values(*) as * by Machine_Serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share the search syntax that you're working with now? Likely there are some clauses doing things to create these multivalue fields and if that's the case the best answers may involve changing some of that upstream search language.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
