Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I store the delta value in the previous row

HattrickNZ
Motivator
‎01-23-2018 12:05 PM

I have the following: 

    _time   condition   delivery    sent
1   21/01/2018 0:00 0:00    264464  331477
2   22/01/2018 0:00 0:00    271339  339201

what I want is the delta value which is 6875 and 7724

_time   condition   delivery    delivery_d  sent    sent_d
1   21/01/2018 0:00 0:00    264464      331477   
2   22/01/2018 0:00 0:00    271339  6875    339201  7724

But my question is how do I store the delta of 6875 and 7724 in the previous row 21/01/2018 0:00

This is my full search: 

 | makeresults |   eval data = "
   801    20/01/2018 18:40    262719    329507;
   863    20/01/2018 23:50    264437    331450;
   864    20/01/2018 23:55    264454    331467;
   865    21/01/2018 0:00    264464    331477;
   1151    21/01/2018 23:50    271316    339177;
  1152    21/01/2018 23:55    271328    339189;
  1153    22/01/2018 0:00    271339    339201;
  1154    22/01/2018 0:05    271354    339221;
  1155    22/01/2018 0:10    271365    339232;
  1156    22/01/2018 0:15    271373    339240" | 
  makemv delim=";" data | 
  mvexpand data  | 
  rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" | 
  fields - data serial | 
  rex field=_time "(?<condition>\d{1,2}:\d{1,2})" |
  where condition="0:00" OR condition="00:00" | 
  delta delivery as delivery_d | 
  delta sent as sent_d |
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-23-2018 11:21 PM

you can try something like this as well

 | makeresults 
 | eval data = "
    801    20/01/2018 18:40    262719    329507;
    863    20/01/2018 23:50    264437    331450;
    864    20/01/2018 23:55    264454    331467;
    865    21/01/2018 0:00    264464    331477;
    1151    21/01/2018 23:50    271316    339177;
   1152    21/01/2018 23:55    271328    339189;
   1153    22/01/2018 0:00    271339    339201;
   1154    22/01/2018 0:05    271354    339221;
   1155    22/01/2018 0:10    271365    339232;
   1156    22/01/2018 0:15    271373    339240" 
 | makemv delim=";" data 
 | mvexpand data 
 | rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" 
 | rex field=_time "(?<condition>\d{1,2}:\d{1,2})" 
 | where condition="0:00" OR condition="00:00" 
 | delta delivery as delivery_diff 
 | delta sent as sent_diff 
 | search delivery_diff=* 
 | eval _time=strftime((strptime(_time,"%d/%m/%Y %H:%M")-86400),"%d/%m/%Y") 
 | fields _time delivery_diff sent_diff

let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-23-2018 11:21 PM

you can try something like this as well

 | makeresults 
 | eval data = "
    801    20/01/2018 18:40    262719    329507;
    863    20/01/2018 23:50    264437    331450;
    864    20/01/2018 23:55    264454    331467;
    865    21/01/2018 0:00    264464    331477;
    1151    21/01/2018 23:50    271316    339177;
   1152    21/01/2018 23:55    271328    339189;
   1153    22/01/2018 0:00    271339    339201;
   1154    22/01/2018 0:05    271354    339221;
   1155    22/01/2018 0:10    271365    339232;
   1156    22/01/2018 0:15    271373    339240" 
 | makemv delim=";" data 
 | mvexpand data 
 | rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" 
 | rex field=_time "(?<condition>\d{1,2}:\d{1,2})" 
 | where condition="0:00" OR condition="00:00" 
 | delta delivery as delivery_diff 
 | delta sent as sent_diff 
 | search delivery_diff=* 
 | eval _time=strftime((strptime(_time,"%d/%m/%Y %H:%M")-86400),"%d/%m/%Y") 
 | fields _time delivery_diff sent_diff

let me know if this helps!

Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎01-24-2018 12:37 PM

tks.
this was a followon question from here

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-23-2018 01:08 PM

As I understand it, Splunk is applying the delta values by sort order. So one option is to reverse the sort order before calculating delta values. However, this reverses the sign of the delta result, which you can undo by subtracting the newly-calculated delta value from 0. Here's my sample code:

| makeresults 
|   eval data = "
    801    20/01/2018 18:40    262719    329507;
    863    20/01/2018 23:50    264437    331450;
    864    20/01/2018 23:55    264454    331467;
    865    21/01/2018 0:00    264464    331477;
    1151    21/01/2018 23:50    271316    339177;
   1152    21/01/2018 23:55    271328    339189;
   1153    22/01/2018 0:00    271339    339201;
   1154    22/01/2018 0:05    271354    339221;
   1155    22/01/2018 0:10    271365    339232;
   1156    22/01/2018 0:15    271373    339240" 
| makemv delim=";" data 
| mvexpand data  
| rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" 
| fields - data serial 
| rex field=_time "(?<condition>\d{1,2}:\d{1,2})" 
| where condition="0:00" OR condition="00:00" 
| sort -_time 
| delta delivery as delivery_d 
| delta sent as sent_d 
| eval delivery_d=0-delivery_d, sent_d=0-sent_d
0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-23-2018 01:12 PM

In this particular case, instead of subtracting from 0, you could use the abs() function - but that would not be guaranteed to meet the requirement I understand here, which is to move the original delta value from one line to the next, regardless of the sign.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...