I have to calculate the change of a field(xyz) over the past 6 hours on a per host basis. I have calculated the same for a single host specified in the query itself. The code is as follows:
index=ck sourcetype=a_log host = hkv earliest=-6h | delta du as useddiff |
fillnull value=0.00 useddiff | eval velo=useddiff/15 | table time du useddiff velo
I now need to do the same for multiple hosts separately and display a timechart of all of the hosts together. Kindly tell me how the same work can be done host wise.
Give this a try
index=ck sourcetype=a_log host=* earliest=-6h
| sort 0 _time host
| streamstats current=f window=1 values(du) as prevdu by host
| eval useddiff=coalesce(du-prevdu,0.00)
| eval velo=useddiff/15 | table _time du useddiff velo
Give this a try
index=ck sourcetype=a_log host=* earliest=-6h
| sort 0 _time host
| streamstats current=f window=1 values(du) as prevdu by host
| eval useddiff=coalesce(du-prevdu,0.00)
| eval velo=useddiff/15 | table _time du useddiff velo
please check this -
index=ck sourcetype=a_log host = hkv earliest=-6h | delta du as useddiff |
fillnull value=0.00 useddiff | timechart eval(useddiff/15) by host
the problem is since I have more than 1 host and i need the difference for the same host or a zero rather than calculating a difference between the last value of the previous host and the first value of the next host
maybe, instead of delta, you can give it a try for stats dc (distinct count)-
index=ck sourcetype=a_log host = hkv earliest=-6h | stats dc(du) as useddiff by host | fillnull value=0.00 useddiff | eval velo=useddiff/15| table time du useddiff velo
But this defeats the purpose since I actually need the difference between the two rather consecutive rows belonging to the same host only.