Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Delta on serveral fields, separate by id

sbsbb
Builder
‎06-19-2013 09:49 AM

I have multiple events like :

field 1; otherTimestamp; field2;field3;field4
test;1371481920.000000,value2,valeu3...
test,1371481980.000000,value4,value5...
otherttest,1371481920.000000,value...

I want to compute a delta on the othertimestamp field, but the delta should be 0, if the field1 changed... I also want to see all other fields for each event.

I tried to use delta, but I couldn't make delta begin at 0, on field1 changed...

I've tried to put a | transaction field1 | in front of the delta, but then all the lines are in a single event, and I'd like distinct events...

Can I do it with streamstats somehow ? what is the best way

alt text

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-19-2013 10:02 AM

Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts

It shows how to create a delta split by certain fields using streamstats.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-19-2013 10:02 AM

Did you see this? http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts

It shows how to create a delta split by certain fields using streamstats.

Reply
Solved! Jump to solution

maraman_splunk
Splunk Employee
Splunk Employee
‎04-11-2017 02:26 AM

correct url : https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-25-2013 07:24 AM

See streamstats docs. Remove window. I'm expecting you to do some work yourself here - I'm just giving you pointers on how to solve your problem.

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎06-25-2013 06:45 AM

Thank you, but how can I display all the fields from current ?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-24-2013 11:13 PM

Something like this:

... | streamstats window=2 current=t global=f earliest(otherTimestamp) as curr, latest(otherTimestamp) as next by field1 | eval delta=next-curr
0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎06-24-2013 03:41 PM

Could you post me an example, on how to do it, according to this example ?
( making a delta on one field, and only displaying the others)

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-19-2013 11:17 AM

No. streamstats does not remove any fields, it just writes a couple more to each event.

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎06-19-2013 11:14 AM

ok, but there are other fields that are different on each event... see example value2, value4, if I make a group by the id_field, I'm also loosing all other fields ?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-19-2013 10:56 AM

well "same ID_fields" <-- that's grouping, no? streamstats ... by yourfield

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎06-19-2013 10:32 AM

Yes but in all examples, it is always grouping things...
I want only to compute the delta when event have the same ID_fields, but I need to see all the events...

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...