This log is updated every 5 minutes (I have included three examples of the logs). The value is cumulative. So, while graphing it in Splunk, I have to deduct the previous value to get the value for that 5 minute interval. I have created 6 fields. So for example lets take one field, pdweb.sescache hit has the following three values of 26965624, 27089514, and 27622280.
Taking 27622280-27089514 = 532766 (this is the actual value I want for that 5 minute interval.
pdweb.sescache hit=
pdweb.sescache miss=
pdweb.sescache add=
pdweb.sescache del=
pdweb.sescache inactive=
pdweb.sescache lifetime=
2015-06-22-11:30:00.000-08:00I----- HPDRA0387I pdweb.sescache statistics report
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache hit : 26965624
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache miss : 1199911
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache add : 767440
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache del : 461681
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache inactive : 307444
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache lifetime : 305720
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache LRU expired : 0
2015-06-22-11:30:00.000-08:00I----- HPDRA0387I pdweb.sescache statistics report
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache hit : 27089514
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache miss : 1187065
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache add : 757928
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache del : 466608
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache inactive : 292919
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache lifetime : 291094
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache LRU expired : 0
2015-06-22-11:30:00.000-08:00I----- HPDRA0387I pdweb.sescache statistics report
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache hit : 27622280
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache miss : 1205104
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache add : 806893
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache del : 491966
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache inactive : 316631
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache lifetime : 314759
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache LRU expired : 0
Try autoregress: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Autoregress
I cobbled this together from another post [here] that worked for me, but (also works) against multiple hosts.
sourcetype=sescache host=myhost* | sort host, _time
| autoregress sescache_hit as prev_sescache_hit | autoregress host as prev_host
| eval x = (sescache_hit - prev_sescache_hit)
| eval sescache_diff = if(x >= 0, x, null())
| eval sescache_diff = if(host == prev_host, sescache_diff, null())
| timechart span=5m avg(sescache_diff) by host
Try autoregress: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Autoregress
I cobbled this together from another post [here] that worked for me, but (also works) against multiple hosts.
sourcetype=sescache host=myhost* | sort host, _time
| autoregress sescache_hit as prev_sescache_hit | autoregress host as prev_host
| eval x = (sescache_hit - prev_sescache_hit)
| eval sescache_diff = if(x >= 0, x, null())
| eval sescache_diff = if(host == prev_host, sescache_diff, null())
| timechart span=5m avg(sescache_diff) by host
sourcetype=sescache host=myhost | eval sescache_number = tonumber(sescache_hit) | delta sescache_number p=1
2015-06-23-07:55:00.000-08:00I----- pdweb.sescache hit : 28026932
2015-06-23-07:50:00.000-08:00I----- pdweb.sescache hit : 28020721
With this search Im getting a delta (sescache_number)= -6211
Is there a way to get this in reverse.....I need to subtract the top number (latest event) from the bottom one and the value should be 6211
I need to subtract the top number (latest event) from the bottom one and the value should be 6211.
In your example - top number i.e. latest value is 28026932 and bottom one is 28020721.
subtract top number from the bottom one means , 28020721 - 28026932 = -6211 (minus value).
I guess, you want it other way ( subtract bottom number from the top one), to get an positive value?
I hope this helps.
sourcetype=sescache host=tstypwsl01 | eval sescache_number = tonumber(sescache_hit) |reverse | table Bytes | delta Bytes p=1
http://answers.splunk.com/answers/46124/graphing-cumulative-counters.html
yes looking to get the positive number....
sourcetype=sescache | eval sescache_number = tonumber(pdweb.sescache hit) | delta sescache_number p=1
If logs are already sorted by _time (Descending order), then try this search and hopefully it should work.
Thank you.....you got me to the right path:
sourcetype=sescache host=myhost | eval sescache_hit_diff = tonumber(sescache_hit) | reverse | delta sescache_hit_diff p=1| timechart avg("delta(sescache_hit_diff)")
Im able to chart out the average for the difference between the earliest & latest values!!!
From the way your question is worded, I'm wondering if it is maybe a multivalued field?
You could use the mvindex
function of the eval command
... | eval delta = tonumber(mvindex('pdweb.sescache hit', -1)) - tonumber(mvindex('pdweb.sescache hit', 0))
This looks for the last value (index at -1) of the multi valued field and subtracts the first (index at 0).
As for doing it for multiple fields, maybe something along the lines of:
...| foreach pdweb.sescache*
[ eval delta_<<MATCHSTR>> = tonumber(mvindex(<<FIELD>>, -1)) - tonumber(mvindex(<<FIELD>>, 0)) ]
doing this search:
sourcetype=sescache | foreach sescache*
[ eval delta_<
I have the following fields all with the same value 0
delta_hit=
delta_miss=
delta_add=
delta_del=
delta_inactive=
delta_lifetime=
This wont work because the foreach
command requires <>
or <>
not <>
.
sourcetype=sescache | eval delta = tonumber(mvindex('sescache_hit', -1)) - tonumber(mvindex('sescache_hit', 0))
Field= sescache_hit
Here are 5-5 min logs
2015-06-22-22:25:00.000-08:00I----- pdweb.sescache hit : 27793603
2015-06-22-22:25:00.000-08:00I----- pdweb.sescache hit : 28313182
2015-06-22-22:25:00.000-08:00I----- pdweb.sescache hit : 27661866
2015-06-22-22:25:00.000-08:00I----- pdweb.sescache hit : 26611428
2015-06-22-22:20:00.000-08:00I----- pdweb.sescache hit : 28309095
this creates the field "delta" which has the only value 0
All of this was assuming, that it was a multivalued field. If they're all separate events, this wont work. You said you had one field with three values and then all the examples you had in the original question had the exact same timestamp, so I thought that they were all part of the same event ?
my bad, each are separate events with a 5 minute interval
2015-06-23-07:20:00.000-08:00I----- pdweb.sescache hit : 27989324
2015-06-23-07:15:00.000-08:00I----- pdweb.sescache hit : 27983667
015-06-23-07:10:00.000-08:00I----- pdweb.sescache hit : 27979265
So for every event you need the delta from the previous event ? The answer above on delta should work then ?
yes...sorry for the confusion......subtract earliest from the latest....example:
lets take the last two events time stamp 7:20 & 7:15
2015-06-23-07:20:00.000-08:00I----- pdweb.sescache hit : 27989324
2015-06-23-07:15:00.000-08:00I----- pdweb.sescache hit : 27983667
so I need to subtract 27989324- 279983667 which would be my true value = 5657....
this comes in as a 5 minute interval....
so this is my search:
sourcetype=sescache | eval delta = mvindex('sescache_hit', -1) - mvindex('sescache_hit', 0)
Error in 'eval' command: Typechecking failed. '-' only takes numbers.
Oops, forgot the tonumber function. Edited my answer.
sourcetype=sescache | eval sescache_number = tonumber(pdweb.sescache hit) | delta sescache_number p=1
Have you tried the delta command?
Ref: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Delta