topic Conditional statements based on metric trends in Splunk Search

Conditional statements based on metric trends

winknotes — Fri, 17 Jan 2020 17:38:20 GMT

This may actually be 2 questions, but I have 3 metrics I'd like to compare based on how they're trending. So......

Condition is met when metric 1 is trending up, metric 2 and metric 3 are trending down.

I'm not sure how to write a query that ascertains a trend and I'm guessing an if statement would work for the condition.

Re: Conditional statements based on metric trends

adonio — Fri, 17 Jan 2020 18:53:40 GMT

hello there,
there are many ways to do it in Splunk. couple of commands to consider: streamstats, detla, trendline, autoregress, accumn
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

    | gentimes start=-1 increment=1m
    | head 10
    | eval _time = starttime
    | table _time
    | eval v1 = random()%10
    | eval v2 = random()%10
    | eval v3 = random()%10
    | rename COMMENT as "the above generates data below is the solution" 
    | delta v1 as dv1 
    | delta v2 as dv2
    | delta v3 as dv3
    | eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")

hope it helps

Re: Conditional statements based on metric trends

winknotes — Fri, 17 Jan 2020 21:15:00 GMT

Thanks so much adonio. I'll experiment with this but looks promising.

Re: Conditional statements based on metric trends

adonio — Fri, 17 Jan 2020 21:21:07 GMT

@winknotes i converted your answer to a comment, if this works for you, kindly accept the answer and up-vote it