I have multiple events like :
field 1; otherTimestamp; field2;field3;field4
test;1371481920.000000,value2,valeu3...
test,1371481980.000000,value4,value5...
otherttest,1371481920.000000,value...
I want to compute a delta on the othertimestamp field, but the delta should be 0, if the field1 changed... I also want to see all other fields for each event.
I tried to use delta, but I couldn't make delta begin at 0, on field1 changed...
I've tried to put a | transaction field1 | in front of the delta, but then all the lines are in a single event, and I'd like distinct events...
Can I do it with streamstats somehow ? what is the best way
Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts
It shows how to create a delta split by certain fields using streamstats.
Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts
It shows how to create a delta split by certain fields using streamstats.
See streamstats
docs. Remove window. I'm expecting you to do some work yourself here - I'm just giving you pointers on how to solve your problem.
Thank you, but how can I display all the fields from current ?
Something like this:
... | streamstats window=2 current=t global=f earliest(otherTimestamp) as curr, latest(otherTimestamp) as next by field1 | eval delta=next-curr
Could you post me an example, on how to do it, according to this example ?
( making a delta on one field, and only displaying the others)
No. streamstats
does not remove any fields, it just writes a couple more to each event.
ok, but there are other fields that are different on each event... see example value2, value4, if I make a group by the id_field, I'm also loosing all other fields ?
well "same ID_fields" <-- that's grouping, no? streamstats ... by yourfield
Yes but in all examples, it is always grouping things...
I want only to compute the delta when event have the same ID_fields, but I need to see all the events...