To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Calculate the difference in the number of purchases between the top 10 buyers This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. | delta count AS countdiff Extended examples 1. Calculate the difference between that current value and the previous value and rename the result fieldįor each event where 'count' exists, compute the difference between count and its previous value and store the result in the field countdiff. Calculate the difference between that current value and the 3rd previous valueĬompute the difference between current value of count and the 3rd previous value of count and store the result in the default field, delta( fieldname), which in this example is delta(count). Sourcetype=tv activity="View" | sort - _time | delta _time AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | stats sum(timeDeltaS) by ChannelName 2. Which channels do subscribers watch the most, activity=view, and how long do the subscribers stay on those channels?
Anchored splunk definition tv#
With the logs from a cable TV provider, sourcetype=tv, you can analyze broadcasting ratings, customer preferences, and so on. For example, if you sort your results by an independent field and then use the delta command, the produced values are the deltas in that specific order.īasic examples 1. The delta can be applied after any sequence of commands, so there is no input order guaranteed.
Values ascending over time show negative deltas.įor real-time search, the events are compared in the order they are received. By default, the events for historical searches are in reverse time order from new events to old events. The delta command works on the events in the order they are returned by search. If p=2, compares the current result value against the value in the result that is two results prior to the current result, and so on. If p=1, compares the current result value against the value in the first result prior to the current result. The prior results are determined by the search order, which is not necessarily chronological order. Default: delta() p Syntax: p= Description: Specifies how many results prior to the current result to use for the comparison to the value in field in the current result. Optional arguments newfield Syntax: Description: The name of a new field to write the output to. If is not a numeric field, no output field is generated.
ĭelta Required arguments field Syntax: Description: The name of a field to analyze. The delta command writes this difference into. For each event where is a number, the delta command computes the difference, in search order, between the value for the current event and the value for the previous event. Computes the difference between nearby results using the value of a specific numeric field.
0 kommentar(er)
