Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

delta

Synopsis

Computes the difference in field value between nearby results.

Syntax

delta (field [AS newfield]) [p=int]

Required arguments

field
Syntax: <fieldname>
Description: The name of a field to analyze.

Optional arguments

<newfield>
Syntax: <string>
Description: A rename for the field value.
p
Syntax: p=<int>
Description: If newfield if not specified, it defaults to delta(field) If p is unspecified, the default = 1, meaning the immediate previous value is used.

Description

For each event where field is a number, the delta command computes the difference, in search order, between the event's value of the field and a previous event's value of field and writes this difference into newfield. If newfield is not specified, it defaults to delta(field). If p is unspecified, it defaults to p=1, meaning that the immediate previous value is used. p=2 would mean that the value before the previous value is used, etc.

Note: The delta command works on the order of events. By default, the events we get for non-real-time searches are in reverse time order, from new events to old events; so, values ascending over time will show negative deltas. But, the delta could be applied after any sequence of commands, so there is no input order guaranteed.

Examples

Example 1

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Find the top ten people who bought something yesterday, count how many purchases they made and the difference in the number of purchases between each buyer.

sourcetype=access_* action=purchase | top clientip | delta count p=1

Here, the purchase events (action=purchase) are piped into the top command to find the top ten users (clientip) who bought something. These results, which include a count for each clientip are then piped into the delta command to calculate the difference between the count value of one event and the count value of the event preceding it. By default, this difference is saved in a field called delta(count):

DeltaEx1.png

These results are formatted as a table because of the top command. Note that the first event does not have a delta(count) value.


Example 2

This example uses recent (October 18-25, 2010) earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains the source network (Src), ID (Eqid), version, date, location, magnitude, depth (km) and number of reporting stations (NST) for each earthquake over the last 7 days.

Download the text file, M 2.5+ earthquakes, past 7 days, save it as a CSV file, and upload it to Splunk. Splunk should extract the fields automatically. Note that you'll be seeing data from the 7 days previous to your download, so your results will vary from the ones displayed below.

Calculate the difference in time between each of the recent earthquakes in Northern California.

source="eqs7day-M1.csv" Region="Northern California" | delta _time AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval timeDelta=tostring(timeDeltaS,"duration")

This example searches for earthquakes in Northern California (Region="Northern California"). Then it uses the delta command to calculate the difference in the timestamps (_time) between each earthquake and the one immediately before it. This change in time is renamed timeDeltaS.

This example also uses the eval command and tostring() function to reformat timeDeltaS as HH:MM:SS, so that it is more readable: DeltaEx1.2.png

Here, you can see that: the difference between the first and second quake is almost 2 hours, the difference between the second and third is almost an hour later, etc.


Example 3

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Calculate the difference in time between consecutive transactions.

sourcetype=access_* | transaction JSESSIONID clientip startswith="*signon*" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | eval timeDelta=tostring(timeDelta,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip, defines an event as the beginning of the transaction if it contains the string "signon" and the last event of the transaction if it contains the string "purchase".

The transactions are then piped into the delta command, which uses the _time field to calculate the time between one transaction and the transaction immediately preceding it. The search renames this change in time as timeDelta.

This example also uses eval command to redefine timeDelta as its absolute value (abs(timeDelta)) and convert it to a more readable string format with the tostring() function. DeltaEx3.png

You can see that: the difference between the first and second transactions is 9 minutes 19 seconds, the difference between the second and third transaction is 9 minutes 40 seconds, etc.


More examples

Example 1: Compute the difference between current value of count and the 3rd previous value of count and store the result in 'delta(count)'

... | delta count p=3

Example 2: For each event where 'count' exists, compute the difference between count and its previous value and store the result in 'countdiff'.

... | delta count AS countdiff

See also

accum, autoregress, streamstats, trendline

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delta command.

PREVIOUS
delete
  NEXT
diff

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters