https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112690#M29609 <P><CODE><BR /> index=os sourcetype=interfaces host=prefix-*<BR /> | reverse<BR /> | streamstats range(TXbytes) as tx_delta global=f window=2 by host<BR /> | timechart span=1m max(tx_delta) as tx_delta by host<BR /> </CODE></P> <P>Based on <A href="https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html">https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html</A> and tweaked to work for fleets of hosts.</P> Sat, 08 Feb 2020 00:22:08 GMT jdsumsion 2020-02-08T00:22:08Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112683#M29602 <P>This seems like such an elementary use of splunk, I can't believe I've spent days researching this to no avail. I've read the two other relevant questions, but their answers don't work.</P> <P>I have a nice chart of message counts produced by:</P> <P>index=... source=... earliest=... | timechart span=15m max(out_msgs)</P> <P>But what I want is a rate per interval of 'out_msgs' (eg messages per 15min)</P> Fri, 20 Jun 2014 03:16:11 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112683#M29602 jgc94131 2014-06-20T03:16:11Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112684#M29603 <P>could you be a little more clear? you are plotting them for every 15 minutes already. What do we required here? Is rate is another param?</P> <P><CODE>|bucket _time span=15m |chart max(rate) by out_msgs</CODE></P> <P><CODE>|timechart span=15m max(rate) by out_msgs</CODE></P> <P>Thanks,<BR /> L</P> Fri, 20 Jun 2014 03:48:37 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112684#M29603 linu1988 2014-06-20T03:48:37Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112685#M29604 <P>Hi jgc94131,</P> <P>take this run everywhere example and adapt it to your needs:</P> <PRE><CODE>index=_internal | bucket _time span=15min | multikv fields series, kbps | stats earliest(kbps) as previous, latest(kbps) as current by series | eval rateofchange=round((current-previous)/previous,2) | rename rateofchange as "% Rate of Change" </CODE></PRE> <P>this will create a stats table of kbps per series and evaluates a <CODE>% Rate of Change</CODE> per 15 minutes interval.<BR /> If you only want to see the <CODE>delta</CODE> between the 15min interval you can also use something like this:</P> <PRE><CODE>index=_internal | timechart span=15min avg(kbps) AS avgKBPS | delta avgKBPS </CODE></PRE> <P>hope this helps to get you started ...</P> <P>cheers, MuS</P> Fri, 20 Jun 2014 07:28:02 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112685#M29604 MuS 2014-06-20T07:28:02Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112686#M29605 <P>Alternatively, you could do this:</P> <PRE><CODE>| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs </CODE></PRE> Fri, 20 Jun 2014 07:42:35 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112686#M29605 martin_mueller 2014-06-20T07:42:35Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112687#M29606 <P>HeHe, looks like I missed something in my <CODE>delta</CODE> example, but I cannot figure it out what .... ? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 20 Jun 2014 07:51:48 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112687#M29606 MuS 2014-06-20T07:51:48Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112688#M29607 <P>out_msgs is a counter that increments on each output message. I want to measure its rate of change.</P> Fri, 20 Jun 2014 17:08:27 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112688#M29607 jgc94131 2014-06-20T17:08:27Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112689#M29608 <P>This is great. I understand it. It's simple. It uses delta. Excellent.</P> Fri, 20 Jun 2014 17:13:12 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112689#M29608 jgc94131 2014-06-20T17:13:12Z https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112690#M29609 <P><CODE><BR /> index=os sourcetype=interfaces host=prefix-*<BR /> | reverse<BR /> | streamstats range(TXbytes) as tx_delta global=f window=2 by host<BR /> | timechart span=1m max(tx_delta) as tx_delta by host<BR /> </CODE></P> <P>Based on <A href="https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html">https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html</A> and tweaked to work for fleets of hosts.</P> Sat, 08 Feb 2020 00:22:08 GMT https://community.splunk.com/t5/Splunk-Search/plot-rate-of-change/m-p/112690#M29609 jdsumsion 2020-02-08T00:22:08Z