How can I show change in a value of a field .For instance , I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30 as I changed the IOPS for few Volume ID's and want to track the changes .How can I show that changes in a trend for each volume_id OR SHOW WHAT WAS CHANGED LIKE WHAT WAS IT BEFORE AND WHAT WAS IT AFTER.Below is the sample events
{"account_id": "121313", "id": "vol-00a327728828ef", "create_time": "2018-05-08T05:00:00.173Z", "type": "gp2", "attach_data": {"status": "attached", "id": "vol-00a327728828ef", "device": "/dev/sdg", "instance_id": "i-xxxxxxxxxx", "deleteOnTermination": "true", "attach_time": "2018-05-08T05:00:01.000Z"}, "region": "usx", "status": "in-use", "snapshot_id": "snap-xxxxxxxx", "zone": "us-east-1e", "encrypted": true, "size": 1330, **"iops": 3990**, "tags": {"lm:ENVIRONMENT": "Test", "Patch Group": "db", "LM-Snapshot": "weekly", "ssm-patch": "yes", "lm:APPID": "9,3", "lm:PROJECT": "68", "CreateSnapshotDaily": "False", "lm:OWNER": "Tech", "CreateSnapshotWeekly": "True", "Exclude-Snapshot": "Daily", "account": "ss", "Name": "AZ4", "lm:ATION": "le,T, "m:NAME": "4"}}
{"account_id": "121313", "id": "vol-00a327728828ef", "create_time": "2018-05-08T05:00:00.173Z", "type": "gp2", "attach_data": {"status": "attached", "id": "vol-00a327728828ef", "device": "/dev/sdg", "instance_id": "i-xxxxxxxxxx", "deleteOnTermination": "true", "attach_time": "2018-05-08T05:00:01.000Z"}, "region": "usx", "status": "in-use", "snapshot_id": "snap-xxxxxxxx", "zone": "us-east-1e", "encrypted": true, "size": 1330, **"iops": 1000**, "tags": {"lm:ENVIRONMENT": "Test", "Patch Group": "db", "LM-Snapshot": "weekly", "ssm-patch": "yes", "lm:APPID": "9,3", "lm:PROJECT": "68", "CreateSnapshotDaily": "False", "lm:OWNER": "Tech", "CreateSnapshotWeekly": "True", "Exclude-Snapshot": "Daily", "account": "ss", "Name": "AZ4", "lm:ATION": "le,T, "m:NAME": "4"}}
Thanks in advance
Something like?
.....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
| timechart avg(diff) by volume_id
Try this....
....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
| where diff>0
| table _time, iops, p_iops, diff
Something like?
.....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
| timechart avg(diff) by volume_id
Hello @solarboyz1 ,
Thank You for your reply.
that is giving me totally different value .I just want to see the change that I have made today for all volume_id 's like before and after .I made the changes between 10 to 10 30 in the morning
Soemthing like....
| timechart span=1d avg(iops) as iops
| delta iops as diff
the avg command does the average , but what i am looking is if the value is 1000 in the morning and now it is 3000. I need to see like a table chart which has two fields before_iops and after_iops with values 1000 and 3000
I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30
If you aren't looking to sort the results by time, then you could do something like:
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
| where diff>0
| table _time, iops, p_iops, diff
Which will just generate show results when it changes.
great that worked. Can you move your comment to answer.I will accept it.Thank you very much