topic Re: Join events and evaluate difference price in Splunk Search

Join events and evaluate difference price

abdulvehhaba — Tue, 07 Nov 2017 20:40:14 GMT

I have data like this

I am joined uuid over market data together like that

But there is 4 times date column i want to show only one and i want to add price difference column like

Cex.io - koinim = 7280.10 - 7377.70 = 97.6 how can i achieve?

Re: Join events and evaluate difference price

somesoni2 — Tue, 07 Nov 2017 20:54:29 GMT

Which time you want to show (from which market)? Is the price diff columns (market names) are fixed?

Re: Join events and evaluate difference price

DalJeanis — Wed, 08 Nov 2017 01:06:55 GMT

You have three or more different markets at each point in time, so there are three or more different price differences. With a fourth market, there are six different price differences; with five, there are ten.

If I were you, for a dashboard, I would present two different panels, both using the same base search. The first panel would be the actual prices. The second would be the difference between the prices, in a specific order (you pick one).

Here's your base search...

sourcetype="coinmarketcap_csv" etc.etc.etc.
| eval market = upper(substr(market,1,3))
| eval {market} = price
| fields - vol* market
| stats first(_time) as _time values(*) as * range(price) as HILO by uuid
| fields - price

The above gives you BTC, CEX, KOI and PAR as your four prices, with HILO as the difference between top and bottom prices.

This section calculates the six differences. This is largely redundant, because any 3 encode all the rest. If you select one of them, for example BTC, as the "standard", then everything else stands in relationship to that standard, and you would only need the first three lines.

| eval BTCCEX = BTC - CEX
| eval BTCKOI = BTC - KOI
| eval BTCPAR = BTC - PAR
| eval CEXKOI = CEX - KOI
| eval CEXPAR = CEX - PAR
| eval KOIPAR = KOI - PAR

See if the above helps you get what you want.

Re: Join events and evaluate difference price

abdulvehhaba — Wed, 08 Nov 2017 18:47:31 GMT

It works thanks; but i want to learn how it is work

| eval market = upper(substr(market,1,3))
It takes first 3 charcter ok.
| eval {market} = price
what that mean { }
| fields - vol* market
it doesnt show vol and market

| stats first(_time) as _time values() as * range(price) as HILO by uuid
get first time as time ok
values() as * for what?
* range(price) as HILO by uuid and i dont understand?
| fields - price
dont show price

| eval BTCCEX = BTC - CEX
it works and also i am add

| eval BTCCEX = BTC - CEX | search BTCCEX > 50

Re: Join events and evaluate difference price

DalJeanis — Mon, 13 Nov 2017 16:35:23 GMT

The curly braces {} will take whatever value is in the variable and use that as the name of a new variable.

stats values(test*) as val* by something will take each variable that starts with test, and will create a variable that starts with val, that contains all the values (up to 100). So, for instance, test1 becomes val1, testfoo becomes a variable valfoo.

stats values(*) as * will take every field that isn't already part of the by and roll together all the values (up to 100) into the same field name.

And that is the reason for the fields - command before it... I don't want the system to spend any CPU time on the fields I am getting rid of.

range(price) as HILO The range() is the difference between the highest and lowest values of something. In this case, the highest price and the lowest price. So that's your maximum delta. You didn't really ask for it, but I'd put it there when working through your needs, and never took it out after I figured that you had several prices.

The best way to understand what each line of code does is to start with the top selection criteria, add a | head 10 to get the first ten records of data, and then add back one line at a time, and see how that line transforms the data. Seems like you did some of that. Well done in figuring out what you did.

Re: Join events and evaluate difference price

abdulvehhaba — Thu, 16 Nov 2017 19:44:11 GMT

everything is fine except curly brances{ }

I understand it is like an array we can put some variables into single variable?
Am i correct?

If i am wrong, that means it is only a new variable.
what is the differnce between

eval {market} = price
eval market = price