understanding how delta and streamstats handles no...

HattrickNZ · ‎11-11-2018

This is my search to simulate the data i need to illustrate:

| makeresults 
     | eval data = "
1-Sep    7820592;
2-Sep    7821163;
3-Sep    7821111;
4-Sep    7822068;
5-Sep    7822669;
    " 
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)"
     | fields + Date kpi1 | fields - _time
     | search kpi1 = * 
     | eval "kpi1"=if(Date=="3-Sep","",'kpi1')
     | delta kpi1 as kpi1_diff
     | streamstats range(kpi1) as kpi1_ss window=2

which gives this output: (I am interested in how splunk handles no data i.e. no value. e.g. 3-sep has no value below )

    Date    kpi1    kpi1_diff   kpi1_ss
1   1-Sep   7820592       0
2   2-Sep   7821163 571 571
3   3-Sep                    0
4   4-Sep   7822068 905 0
5   5-Sep   7822669 601 601

I am trying to understand how streamstats and delta deals with no value
In this case:

streamstats puts a zero, where there is no value in that row, and a zero in the row after it, then it resumes getting the difference. So it seems it returns zero if one of the 2 values is a no value.

delta is different, if there is a no value, it puts a no value in the corresponding slot and then it resumes getting the difference with the previous available value.

Now my question:
*Can I get streamstats to behave like delta? *

looking here allnum=true might be the answer

understanding how delta and streamstats handles no value

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?