https://community.splunk.com/t5/Splunk-Search/How-to-calculate-rate-of-change-over-time-for-an-variable/m-p/63132#M15592 <P>I have an input value that changes steadily (at constant rate, either increasing or decreasing), and Splunk is capturing every value with a timestamp.</P> <P>I am trying to find a way to calculate the acceleration of this input, which is the rate of change over time.<BR /> Ideally, I would like to trigger an alert if a threshold in this rate of change is reached.</P> <P>Any smooth changes in the velocity are fine, but abrupt changes (speed up, slow down larger than some threshold) should trigger an alarm, or at least should be visible in a Splunk graph for analysis against other kind of time based data for event correlation analysis.</P> <P>Mathematically, the problem should be simple: Acceleration is the second derivative of a function.<BR /> However, it is difficult to model a function (much less find the derivatives) from just raw data.</P> <P>I might be over-thinking this, therefore I'm reaching out to other splunkers for ideas.</P> <P>Thanks.</P> Thu, 13 Jun 2013 18:56:09 GMT mflamerich 2013-06-13T18:56:09Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-rate-of-change-over-time-for-an-variable/m-p/63132#M15592 <P>I have an input value that changes steadily (at constant rate, either increasing or decreasing), and Splunk is capturing every value with a timestamp.</P> <P>I am trying to find a way to calculate the acceleration of this input, which is the rate of change over time.<BR /> Ideally, I would like to trigger an alert if a threshold in this rate of change is reached.</P> <P>Any smooth changes in the velocity are fine, but abrupt changes (speed up, slow down larger than some threshold) should trigger an alarm, or at least should be visible in a Splunk graph for analysis against other kind of time based data for event correlation analysis.</P> <P>Mathematically, the problem should be simple: Acceleration is the second derivative of a function.<BR /> However, it is difficult to model a function (much less find the derivatives) from just raw data.</P> <P>I might be over-thinking this, therefore I'm reaching out to other splunkers for ideas.</P> <P>Thanks.</P> Thu, 13 Jun 2013 18:56:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-rate-of-change-over-time-for-an-variable/m-p/63132#M15592 mflamerich 2013-06-13T18:56:09Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-rate-of-change-over-time-for-an-variable/m-p/63133#M15593 <P>If you are talking about a steady increase/decrease (not acceleration) <CODE>delta</CODE> would be a good option. </P> <P>If you are talking about acceleration/deceleration hmm .. perhaps would be something that you can work on.</P> <P><CODE>... | streamstats window=X stdev(your_field) as Y</CODE></P> <P>Large values of Y would indicate that there has been a significant change, and that the current value of <CODE>your_field</CODE> is different from the previous X number of values.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonStatsFunctions</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Streamstats">http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Streamstats</A></P> <P>/k</P> Thu, 13 Jun 2013 21:30:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-rate-of-change-over-time-for-an-variable/m-p/63133#M15593 kristian_kolb 2013-06-13T21:30:34Z