Computes the difference between nearby results using the value of a specific numeric field. For each event where field is a number, the
delta command computes the difference, in search order, between the field value for the event and the field value for the previous event. The
delta command writes this difference into newfield.
newfield argument is not specified, then the
delta command uses
If field is not a number in either of the two values, no output field is generated.
delta command works on the events in the order they are returned by search. By default, the events for historical searches are in reverse time order from new events to old events. Values ascending over time show negative deltas. For real-time search, the events are compared in the order they are received. In the general case, the
delta could be applied after any sequence of commands, so there is no input order guaranteed. For example, if you sort your results by an independent field and then use the
delta command, the produced values are the deltas in that specific order.
delta (<field> [AS <newfield>]) [p=int]
- Syntax: <field-name>
- Description: The name of a field to analyze.
- Syntax: <string>
- Description: Write output to this field.
- Default: delta(field-name)
- Syntax: p=<int>
- Description: Specifies how many results prior to the current result to use for the comparison to the value in
fieldin the current result. The prior results are determined by the search order, which is not necessarily chronological order. If
p=1, compares the current result value against the value in the first result prior to the current result. If
p=2, compares the current result value against the value in the result that is two results prior to the current result, and so on.
- Default: 1
|This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to your Splunk deployment. Then, run this search using the time range, Other > Yesterday.|
Find the top ten people who bought something yesterday, count how many purchases they made and the difference in the number of purchases between each buyer.
sourcetype=access_* status=200 action=purchase | top clientip | delta count p=1
Here, the purchase events (
action=purchase) are piped into the
top command to find the top ten users (
clientip) who bought something. These results, which include a
count for each
clientip are then piped into the
delta command to calculate the difference between the
count value of one event and the
count value of the event preceding it. By default, this difference is saved in a field called
These results are formatted as a table because of the
top command. Note that the first event does not have a
|This example uses recent earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so on, for each earthquake recorded.
You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to the search.
Calculate the difference in time between each of the recent earthquakes in Northern California.
source=usgs place=*California* | delta _time AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval timeDelta=tostring(timeDeltaS,"duration")
This example searches for earthquakes in California and uses the
delta command to calculate the difference in the timestamps (
_time) between each earthquake and the one immediately before it. This change in time is renamed
This example also uses the
eval command and
tostring() function to reformat
timeDeltaS as HH:MM:SS, so that it is more readable.
|This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to the search. Then, run this search using the time range, Other > Yesterday.|
Calculate the difference in time between consecutive transactions.
sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | eval timeDelta=tostring(timeDelta,"duration")
This example groups events into transactions if they have the same values of JSESSIONID and clientip. An event is defined as the beginning of the transaction if it contains the string "view," and the last event of the transaction if it contains the string "purchase". The keywords "view" and "purchase" correspond to the values of the
action field. You might also notice other values such as "addtocart" and "remove."
The transactions are then piped into the
delta command, which uses the
_time field to calculate the time between one transaction and the transaction immediately preceding it. The search renames this change, in time, as
This example also uses the
eval command to redefine
timeDelta as its absolute value (
abs(timeDelta)) and convert this value to a more readable string format with the
Example 1: Consider logs from a TV set top box (
sourcetype=tv) that you can use to analyze broadcasting ratings, customer preferences, and so on. Which channels do subscribers watch (
activity=view) most and how long do they stay on those channels?
sourcetype=tv activity="View" | sort - _time | delta _time AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | stats sum(timeDeltaS) by ChannelName
Example 2: Compute the difference between current value of count and the 3rd previous value of count and store the result in 'delta(count)'
... | delta count p=3
Example 3: For each event where 'count' exists, compute the difference between count and its previous value and store the result in 'countdiff'.
... | delta count AS countdiff
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delta command.
This documentation applies to the following versions of Splunk Cloud™: 7.0.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3, 6.5.0