Search commands > delta

So after my last post discussing accum, I figured I would describe it’s close relative delta. Delta is similar to accum.   It’s purpose is to help you calculate the difference between a field’s value in two different events rather than keeping a running total.

I find delta to be the more useful of the two commands.

Delta:

The syntax for delta is very similar to accum, but it has one additional parameter:

delta (field [AS newfield]) [p=int]

Like accum, the delta command is designed to work on nearby events.  Rather than a running total, delta calculates the difference between field values.  The field parameter tells delta which field to use to calculate the …

» Continue reading

Search Commands > accum

One of the great things about Splunk is that there are often several different ways to accomplish the same goal. In our series highlighting the various Splunk search commands, you may find yourself thinking a few times that you could accomplish the end goal using a different method. That’s great!  Use what is most natural to you, what is the most readable in any given search and don’t sweat finding the “right” search command

In this post, we are going to discuss the accum command.  In my next blog post, we will cover delta which is similar to accum. The purpose of these commands is to keep a running total and to help you calculate the difference between a field’s …

» Continue reading