Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

delta

Description

Computes the difference between nearby results using the value of a specific numeric field. For each event where field is a number, the delta command computes the difference, in search order, between the field value for the event and the field value for the previous event. The delta command writes this difference into newfield.

If the newfield argument is not specified, then the delta command uses delta(field).

If field is not a number in either of the two values, no output field is generated.

Note: The delta command works on the events in the order they are returned by search. By default, the events for historical searches are in reverse time order from new events to old events. Values ascending over time show negative deltas. For real-time search, the events are compared in the order they are received. In the general case, the delta could be applied after any sequence of commands, so there is no input order guaranteed. For example, if you sort your results by an independent field and then use the delta command, the produced values are the deltas in that specific order.

Syntax

delta (<field> [AS <newfield>]) [p=int]

Required arguments

field
Syntax: <field-name>
Description: The name of a field to analyze.

Optional arguments

newfield
Syntax: <string>
Description: Write output to this field.
Default: delta(field-name)
p
Syntax: p=<int>
Description: Specifies how many results prior to the current result to use for the comparison to the value in field in the current result. The prior results are determined by the search order, which is not necessarily chronological order. If p=1, compares the current result value against the value in the first result prior to the current result. If p=2, compares the current result value against the value in the result that is two results prior to the current result, and so on.
Default: 1

Examples

Example 1

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to your Splunk deployment. Then, run this search using the time range, Other > Yesterday.

Find the top ten people who bought something yesterday, count how many purchases they made and the difference in the number of purchases between each buyer.

sourcetype=access_* status=200 action=purchase | top clientip | delta count p=1

Here, the purchase events (action=purchase) are piped into the top command to find the top ten users (clientip) who bought something. These results, which include a count for each clientip are then piped into the delta command to calculate the difference between the count value of one event and the count value of the event preceding it. By default, this difference is saved in a field called delta(count).

Searchref delta ex1.1.png

These results are formatted as a table because of the top command. Note that the first event does not have a delta(count) value.

Example 2

This example uses recent earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so on, for each earthquake recorded.

You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to the search.

Calculate the difference in time between each of the recent earthquakes in Northern California.

source=usgs place=*California* | delta _time AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval timeDelta=tostring(timeDeltaS,"duration")

This example searches for earthquakes in California and uses the delta command to calculate the difference in the timestamps (_time) between each earthquake and the one immediately before it. This change in time is renamed timeDeltaS.

This example also uses the eval command and tostring() function to reformat timeDeltaS as HH:MM:SS, so that it is more readable.

Searchref delta usgsex1.1.png

Example 3

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to the search. Then, run this search using the time range, Other > Yesterday.

Calculate the difference in time between consecutive transactions.

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | eval timeDelta=tostring(timeDelta,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip. An event is defined as the beginning of the transaction if it contains the string "view," and the last event of the transaction if it contains the string "purchase". The keywords "view" and "purchase" correspond to the values of the action field. You might also notice other values such as "addtocart" and "remove."

The transactions are then piped into the delta command, which uses the _time field to calculate the time between one transaction and the transaction immediately preceding it. The search renames this change, in time, as timeDelta.

This example also uses the eval command to redefine timeDelta as its absolute value (abs(timeDelta)) and convert this value to a more readable string format with the tostring() function.

Searchref delta ex3.1.png

More examples

Example 1: Consider logs from a TV set top box (sourcetype=tv) that you can use to analyze broadcasting ratings, customer preferences, and so on. Which channels do subscribers watch (activity=view) most and how long do they stay on those channels?

sourcetype=tv activity="View" | sort - _time | delta _time AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | stats sum(timeDeltaS) by ChannelName

Example 2: Compute the difference between current value of count and the 3rd previous value of count and store the result in 'delta(count)'

... | delta count p=3

Example 3: For each event where 'count' exists, compute the difference between count and its previous value and store the result in 'countdiff'.

... | delta count AS countdiff

See also

accum, autoregress, streamstats, trendline

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delta command.

PREVIOUS
delete
  NEXT
diff

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1


Comments

Woodcock
Thank you for pointing this out. I have clarified the description for the "p" argument.

Lstewart splunk, Splunker
January 27, 2017

The description of the "p" argument is mis-merged, has a redundant sentence and should be entirely rewritten.

Woodcock
January 25, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters