Hi All,
I am new to Splunk. please help me here on this requirement.
i would like to check if there is any possibility to subtract the values from a same field in subsequent event.
For Example i have below two events in two different time stamps.
9/24/19
6:52:22.000 PM
[Tue Sep 24 16:52:22 GMT 2019] [UM Server Status Generator] [com.pcbsys.foundation] - ServerStatusLog> Memory=1401, Direct=4096, EventMemory=0, Disk=224766, CPU=10.75, Scheduled=468, Queued=0, Connections=3, BytesIn=626255, BytesOut=113227133, Published=1677085616, Consumed=1677214707, QueueSize=0, ClientsSize=0, CommQueueSize=0
9/24/19
6:52:17.000 PM
[Tue Sep 24 16:52:17 GMT 2019] [UM Server Status Generator] [com.pcbsys.foundation] - ServerStatusLog> Memory=1607, Direct=4096, EventMemory=0, Disk=224811, CPU=4.62, Scheduled=468, Queued=0, Connections=3, BytesIn=626255, BytesOut=113207677, Published=1677078549, Consumed=1677207640, QueueSize=0, ClientsSize=0, CommQueueSize=0
Now the result should be on this Field(Published) 1677085616 - 1677078549= result.
........
In the same way ,if i have next event in another time stamp, in fact every 5 seconds i have another event .
9/24/19
6:52:12.000 PM
[Tue Sep 24 16:52:12 GMT 2019] [UM Server Status Generator] [com.pcbsys.foundation] - ServerStatusLog> Memory=1710, Direct=4096, EventMemory=0, Disk=224404, CPU=6.25, Scheduled=467, Queued=0, Connections=3, BytesIn=626255, BytesOut=113183513, Published=1677076834, Consumed=1677205925, QueueSize=1, ClientsSize=0, CommQueueSize=0
Now it would be like previous event field(Published) value - this event field(published) value, so it would be 1677078549 -1677076834= result.
at the end with the resulted values i want to make a graph on the respective times.
Thanks & Regards,
Harish
↧