topic How to check continuous increase of values of a field. in Splunk Search

How to check continuous increase of values of a field.

Anantha123 — Mon, 18 Sep 2023 03:26:39 GMT

Please help me on how I can check if the field value is continuously increasing for 3 hours.

tried below query but does not help .

Perc_change values are extracted from logs , whereas prev_change and growing are calculated form perc_change values.

| streamstats current=f window=1 latest(perc_change) as prev_value
| fillnull value=0
| eval growing = if(perc_change< prev_value,1,0)
| table _time GB change perc_change prev_value growing

getting values as

perc_change prev_value growing

60 0 0

35 60 1

33 35 1

150 33 0

expectations :

perc_change prev_value growing

60 35 1

35 33 1

33 150 0

150 0 0

I have to send a report if the perc_change values are continuously growing for 3 hours

Appreciate your help . Thank you.

Re: How to check continuous increase of values of a field.

yuanliu — Mon, 18 Sep 2023 06:46:26 GMT

First of all, I suspect that by "continuous increase" you actually mean monotonous increase. Are you thinking of delta instead? What is the output format you need in the report? If you want all the event details, you can then use eventstats to determine whether there was any decrement.

| delta perc_change as delta | eventstats values(delta) as change | where NOT changes < 0 | table _time GB delta perc_change

If you do not need every event, you may construct some stats command that is more efficient.

Re: How to check continuous increase of values of a field.

ITWhisperer — Mon, 18 Sep 2023 09:38:37 GMT