Splunk Search

Delta on serveral fields, separate by id

sbsbb
Builder

I have multiple events like :

field 1; otherTimestamp; field2;field3;field4
test;1371481920.000000,value2,valeu3...
test,1371481980.000000,value4,value5...
otherttest,1371481920.000000,value...

I want to compute a delta on the othertimestamp field, but the delta should be 0, if the field1 changed... I also want to see all other fields for each event.

I tried to use delta, but I couldn't make delta begin at 0, on field1 changed...

I've tried to put a | transaction field1 | in front of the delta, but then all the lines are in a single event, and I'd like distinct events...

Can I do it with streamstats somehow ? what is the best way

alt text

1 Solution

Ayn
Legend

Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts

It shows how to create a delta split by certain fields using streamstats.

View solution in original post

Ayn
Legend

Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts

It shows how to create a delta split by certain fields using streamstats.

maraman_splunk
Splunk Employee
Splunk Employee
0 Karma

Ayn
Legend

See streamstats docs. Remove window. I'm expecting you to do some work yourself here - I'm just giving you pointers on how to solve your problem.

0 Karma

sbsbb
Builder

Thank you, but how can I display all the fields from current ?

0 Karma

Ayn
Legend

Something like this:

... | streamstats window=2 current=t global=f earliest(otherTimestamp) as curr, latest(otherTimestamp) as next by field1 | eval delta=next-curr
0 Karma

sbsbb
Builder

Could you post me an example, on how to do it, according to this example ?
( making a delta on one field, and only displaying the others)

0 Karma

Ayn
Legend

No. streamstats does not remove any fields, it just writes a couple more to each event.

0 Karma

sbsbb
Builder

ok, but there are other fields that are different on each event... see example value2, value4, if I make a group by the id_field, I'm also loosing all other fields ?

0 Karma

Ayn
Legend

well "same ID_fields" <-- that's grouping, no? streamstats ... by yourfield

0 Karma

sbsbb
Builder

Yes but in all examples, it is always grouping things...
I want only to compute the delta when event have the same ID_fields, but I need to see all the events...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...