https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454456#M128575 <P>Check out the following using extreme search to create a baseline and identify when performance doesn't match the baseline:</P> <P><A href="http://www.georgestarcher.com/splunk-getting-extreme-part-one/">http://www.georgestarcher.com/splunk-getting-extreme-part-one/</A></P> Tue, 20 Aug 2019 13:51:17 GMT solarboyz1 2019-08-20T13:51:17Z https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454455#M128574 <P>I'd like to build an alert that essentially says "if the count from this hour is more than twice, or less than half, the count from the last hour, throw an alert." I'm new to Splunk, and I'm having a hard time figuring out how to write this. Obviously I've got the count part—using <CODE>stats count</CODE> or <CODE>timechart count</CODE> or whatever. That gives me a relatively compact table, with a double-digit number of rows. Now I essentially want to join that table to itself. If this were SQL, I would find it trivial; it'd be a quick self-join. I can't figure out how to encode it in Splunk. Is there an easy way to do this?</P> <P><CODE>timewrap</CODE> looked promising, but I couldn't figure out how to take just this hour's count and divide by just the last hour's count. Instead <CODE>timewrap</CODE> gave me a bunch of columns, including an hour ago but also many other hours ago.</P> <P>Does this problem have an obvious answer?</P> Tue, 20 Aug 2019 13:22:19 GMT https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454455#M128574 shulmaniel 2019-08-20T13:22:19Z https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454456#M128575 <P>Check out the following using extreme search to create a baseline and identify when performance doesn't match the baseline:</P> <P><A href="http://www.georgestarcher.com/splunk-getting-extreme-part-one/">http://www.georgestarcher.com/splunk-getting-extreme-part-one/</A></P> Tue, 20 Aug 2019 13:51:17 GMT https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454456#M128575 solarboyz1 2019-08-20T13:51:17Z https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454457#M128576 <P>That feels like a sledgehammer to kill an ant. Am I misreading it?</P> <P>Fundamentally, too, I don't think I'm doing an anomaly-detection task; I should be able to just do math using both this period and another period. No? In SQL, this would be trivial using basic arithmetic; it wouldn't require any extra machinery.</P> Tue, 20 Aug 2019 13:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454457#M128576 shulmaniel 2019-08-20T13:57:50Z https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454458#M128577 <P>Check out <CODE>relative_time</CODE> or the <CODE>date_hour</CODE> field. Either will work </P> <PRE><CODE>index=.. | timechart count | eval now=now() | eval one_hour_ago=relative_time(now(), "-1h") | eval compare_this_hour_to_last=if(_time&gt;one_hour_ago AND _time&lt;now, 'count',"") </CODE></PRE> Tue, 20 Aug 2019 14:46:49 GMT https://community.splunk.com/t5/Splunk-Search/Do-math-on-this-period-s-numbers-versus-last-period-s/m-p/454458#M128577 skoelpin 2019-08-20T14:46:49Z