topic Compare two counter values in time in Splunk Search

Compare two counter values in time

jcl_tw0 — Tue, 27 Aug 2013 20:08:22 GMT

Hi,

I want to write a query to compare performance counter's values over 20 min span where the counter values change more than 1000.

Your help is appreciated!

Re: Compare two counter values in time

rturk — Tue, 10 Sep 2013 11:24:31 GMT

Can you provide some sample events or context?

Re: Compare two counter values in time

jcl_tw0 — Wed, 11 Sep 2013 01:05:14 GMT

For example
- 9/10/13 3:00 PM - counter 1, counter value 13240
- 9/10/13 3:00 PM - counter 2, counter value 12700
- 9/10/13 3:10 PM - counter 1, counter value 13340
- 9/10/13 3:10 PM - counter 2, counter value 13800
- 9/10/13 3:20 PM - counter 1, counter value 13430
- 9/10/13 3:20 PM - counter 2, counter value 14850
- 9/10/13 3:30 PM - counter 1, counter value 15200
- 9/10/13 3:30 PM - counter 2, counter value 16200

In the span of 20 minutes between 3:00 PM to 3:30 PM which counter has counter value changes less than 1000. Answer is counter 1 bet 3:00 PM to 3:20 PM, value 190

Re: Compare two counter values in time

dmlee — Mon, 28 Sep 2020 14:44:56 GMT

I think you can try below command :
sourcetype=counter | bucket _time span=20m | stats min(counter_value) as min_cv max(counter_value) as max_cv by counter, _time | eval diff = max_cv- min_cv | search diff<1000

by the way, if your time span is 20 minutes , the answer should be counter 1 between 3:00:00pm to 3:19:59pm ( not 3:20:00pm) value=100 , 3:20:00 is the beginning of next 20 minutes , right ?

Re: Compare two counter values in time

HiroshiSatoh — Mon, 28 Sep 2020 14:44:58 GMT

I have combine data from 20 minutes before the most recent data.
But is long ...

(result)

Re: Compare two counter values in time

jcl_tw0 — Mon, 28 Sep 2020 14:47:20 GMT

I ran the query but the CounterValue, min_cv and max_cv values are the same so the diff between min_cv and max_cv is 0