https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497303#M138524 <P>1000s of values?<BR /> I don't understand 1.25 is 1000s of values.</P> Wed, 18 Mar 2020 12:48:48 GMT to4kawa 2020-03-18T12:48:48Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497302#M138523 <P>Hello Splunkers!</P> <P>I have the following fields being populated by 1000s of values every 1 minute:</P> <P>Name Cost</P> <P>E.g.<BR /> Luke 1.25<BR /> Luke 1.22<BR /> Dave 2.45<BR /> Dave 2.57</P> <P>Bearing in mind, there are over 1000 Cost values coming in for each Name each minute, I want to identify the biggest movers in terms of Cost over a 5 minute period thereby identifying the most volatile Names in a timechart.</P> <P>Can anyone tell me how I would do this please? </P> Wed, 18 Mar 2020 10:39:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497302#M138523 luke222010 2020-03-18T10:39:56Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497303#M138524 <P>1000s of values?<BR /> I don't understand 1.25 is 1000s of values.</P> Wed, 18 Mar 2020 12:48:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497303#M138524 to4kawa 2020-03-18T12:48:48Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497304#M138525 <P>Like this:</P> <PRE><CODE>... earliest=-5m latest=now | stats range(Cost) AS volatility BY Name | sort 0 - volatility </CODE></PRE> <P>Also maybe this:</P> <PRE><CODE>... earliest=-24h latest=now | streamstats time_window=5m range(Cost) AS volatility BY Name | sort 0 - volatility </CODE></PRE> Wed, 18 Mar 2020 14:31:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-the-most-volatile-values-in-a-field/m-p/497304#M138525 woodcock 2020-03-18T14:31:56Z