Solved: How do I move results retrieved by the "delta" com...

j_r · ‎12-20-2018

Is it possible to move the results of "delta" one row up?

I calculate time difference with "delta" and would like to move the column with the results one row up

whrg · ‎12-20-2018

Hello @j_r,

So the idea is to reverse the sort order, then calculate the delta, then reverse the sign and then reverse again:

your base search
| reverse | delta yourfield as yourfield_diff | eval yourfield_diff=0-yourfield_diff | reverse

Instead of "reverse" you could also use "sort _time" and "sort -_time".

whrg · ‎12-20-2018

Hello @j_r,

So the idea is to reverse the sort order, then calculate the delta, then reverse the sign and then reverse again:

your base search
| reverse | delta yourfield as yourfield_diff | eval yourfield_diff=0-yourfield_diff | reverse

Instead of "reverse" you could also use "sort _time" and "sort -_time".

How do I move results retrieved by the "delta" command one row up?