Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to get the hourly increase or decrease of a nu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jschikar
Engager
02-16-2017
10:28 AM
Hi,
i have hourly values and i want to see the difference to the hour before.
So instead of hour 1: 10€, hour 2: 20€, hour 3: 10€
I want the increase / decrease: hour 2: +10 hour 3: -10
I imagined this should be possible with a calculated field maybe?
Thanks in advance!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
02-16-2017
11:00 AM
This generates some test data -
| makeresults | eval myfield="10 20 15 30 18 40" | makemv myfield | mvexpand myfield
| streamstats count as hour | eval _time = _time + 3600*hour | bin _time span=1h
This is what you want -
| delta myfield as difference
| table _time hour myfield difference
With this sample output -
_time hour myfield difference
2017-02-16T20:00:00.000+0000 1 10
2017-02-16T21:00:00.000+0000 2 20 10
2017-02-16T22:00:00.000+0000 3 15 -5
2017-02-16T23:00:00.000+0000 4 30 15
2017-02-17T00:00:00.000+0000 5 18 -12
2017-02-17T01:00:00.000+0000 6 40 22
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
02-16-2017
11:00 AM
This generates some test data -
| makeresults | eval myfield="10 20 15 30 18 40" | makemv myfield | mvexpand myfield
| streamstats count as hour | eval _time = _time + 3600*hour | bin _time span=1h
This is what you want -
| delta myfield as difference
| table _time hour myfield difference
With this sample output -
_time hour myfield difference
2017-02-16T20:00:00.000+0000 1 10
2017-02-16T21:00:00.000+0000 2 20 10
2017-02-16T22:00:00.000+0000 3 15 -5
2017-02-16T23:00:00.000+0000 4 30 15
2017-02-17T00:00:00.000+0000 5 18 -12
2017-02-17T01:00:00.000+0000 6 40 22
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jschikar
Engager
02-16-2017
11:35 AM
That's exactly what i want!
Thanks very much, I didn't come across the delta function 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
02-16-2017
01:29 PM
No problem. There's a lot of splunk verbs I don't know yet. Every week I learn another one or two, or a better way to use the ones I DO know...
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
