delta
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
delta
Synopsis
Computes the difference in field value between nearby results.
Syntax
delta (field [AS newfield]) [p=int]
Arguments
- p
- Syntax: p=<int>
- Description: If newfield if not specified, it defaults to delta(field) If p is unspecified, the default = 1, meaning the the immediate previous value is used
Description
For each event where field is a number, compute the difference between the current value of field and a previous value of field and write this difference into field:newfield. If newfield if not specified, it defaults to delta(field) If p is unspecified, the default = 1, meaning the the immediate previous value is used. p=2 would mean that the value before the previous value is used, etc etc etc.
Examples
Example 1: Compute the difference between current value of count and the 3rd previous value of count and store the result in 'delta(count)'
... | delta count p=3Example 2: For each event where 'count' exists, compute the difference between count and its previous value and store the result in 'countdiff'.
... | delta count AS countdiff
See also
accum, autoregress, streamstats, trendline
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.