Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

delta

Synopsis

Computes the difference in field value between nearby results.

Syntax

delta (field [AS newfield]) [p=int]

Required arguments

field
Syntax: <fieldname>
Description: The name of a field to analyze.

Optional arguments

<newfield>
Syntax: <string>
Description: A rename for the field value.
p
Syntax: p=<int>
Description: If newfield if not specified, it defaults to delta(field) If p is unspecified, the default = 1, meaning the immediate previous value is used.

Description

For each event where field is a number, the delta command computes the difference, in search order, between the event's value of the field and a previous event's value of field and writes this difference into newfield. If newfield is not specified, it defaults to delta(field). If p is unspecified, it defaults to p=1, meaning that the immediate previous value is used. p=2 would mean that the value before the previous value is used, etc.

Note: The delta command works on the order of events. By default, the events we get for non-real-time searches are in reverse time order, from new events to old events; so, values ascending over time will show negative deltas. But, the delta could be applied after any sequence of commands, so there is no input order guaranteed.

Examples

Example 1

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Find the top ten people who bought something yesterday, count how many purchases they made and the difference in the number of purchases between each buyer.

sourcetype=access_* action=purchase | top clientip | delta count p=1

Here, the purchase events (action=purchase) are piped into the top command to find the top ten users (clientip) who bought something. These results, which include a count for each clientip are then piped into the delta command to calculate the difference between the count value of one event and the count value of the event preceding it. By default, this difference is saved in a field called delta(count):

DeltaEx1.png

These results are formatted as a table because of the top command. Note that the first event does not have a delta(count) value.

Example 2

This example uses recent earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), etc., for each earthquake recorded.

You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to Splunk.

Calculate the difference in time between each of the recent earthquakes in Northern California.

source=usgs place=*California* | delta _time AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval timeDelta=tostring(timeDeltaS,"duration")

This example searches for earthquakes in California and uses the delta command to calculate the difference in the timestamps (_time) between each earthquake and the one immediately before it. This change in time is renamed timeDeltaS.

This example also uses the eval command and tostring() function to reformat timeDeltaS as HH:MM:SS, so that it is more readable:

Searchref delta usgsex1.1.png

Example 3

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Calculate the difference in time between consecutive transactions.

sourcetype=access_* | transaction JSESSIONID clientip startswith="*signon*" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | eval timeDelta=tostring(timeDelta,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip, defines an event as the beginning of the transaction if it contains the string "signon" and the last event of the transaction if it contains the string "purchase".

The transactions are then piped into the delta command, which uses the _time field to calculate the time between one transaction and the transaction immediately preceding it. The search renames this change in time as timeDelta.

This example also uses eval command to redefine timeDelta as its absolute value (abs(timeDelta)) and convert it to a more readable string format with the tostring() function. DeltaEx3.png

You can see that: the difference between the first and second transactions is 9 minutes 19 seconds, the difference between the second and third transaction is 9 minutes 40 seconds, etc.


More examples

Example 1: Consider logs from a TV set top box (sourcetype=tv) that you can use to analyze broadcasting ratings, customer preferences, etc. Which channels do subscribers watch (activity=view) most and how long do they stay on those channels?

sourcetype=tv activity="View" | sort - _time | delta _time AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | stats sum(timeDeltaS) by ChannelName

Example 2: Compute the difference between current value of count and the 3rd previous value of count and store the result in 'delta(count)'

... | delta count p=3

Example 3: For each event where 'count' exists, compute the difference between count and its previous value and store the result in 'countdiff'.

... | delta count AS countdiff

See also

accum, autoregress, streamstats, trendline

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delta command.

PREVIOUS
delete
  NEXT
diff

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters