Dashboards & Visualizations

How to get a trendline or show change when a value of a field is changed?

vrmandadi
Builder

How can I show change in a value of a field .For instance , I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30 as I changed the IOPS for few Volume ID's and want to track the changes .How can I show that changes in a trend for each volume_id OR SHOW WHAT WAS CHANGED LIKE WHAT WAS IT BEFORE AND WHAT WAS IT AFTER.Below is the sample events

{"account_id": "121313", "id": "vol-00a327728828ef", "create_time": "2018-05-08T05:00:00.173Z", "type": "gp2", "attach_data": {"status": "attached", "id": "vol-00a327728828ef", "device": "/dev/sdg", "instance_id": "i-xxxxxxxxxx", "deleteOnTermination": "true", "attach_time": "2018-05-08T05:00:01.000Z"}, "region": "usx", "status": "in-use", "snapshot_id": "snap-xxxxxxxx", "zone": "us-east-1e", "encrypted": true, "size": 1330, **"iops": 3990**, "tags": {"lm:ENVIRONMENT": "Test", "Patch Group": "db", "LM-Snapshot": "weekly", "ssm-patch": "yes", "lm:APPID": "9,3", "lm:PROJECT": "68", "CreateSnapshotDaily": "False", "lm:OWNER": "Tech", "CreateSnapshotWeekly": "True", "Exclude-Snapshot": "Daily", "account": "ss", "Name": "AZ4", "lm:ATION": "le,T, "m:NAME": "4"}}

{"account_id": "121313", "id": "vol-00a327728828ef", "create_time": "2018-05-08T05:00:00.173Z", "type": "gp2", "attach_data": {"status": "attached", "id": "vol-00a327728828ef", "device": "/dev/sdg", "instance_id": "i-xxxxxxxxxx", "deleteOnTermination": "true", "attach_time": "2018-05-08T05:00:01.000Z"}, "region": "usx", "status": "in-use", "snapshot_id": "snap-xxxxxxxx", "zone": "us-east-1e", "encrypted": true, "size": 1330, **"iops": 1000**, "tags": {"lm:ENVIRONMENT": "Test", "Patch Group": "db", "LM-Snapshot": "weekly", "ssm-patch": "yes", "lm:APPID": "9,3", "lm:PROJECT": "68", "CreateSnapshotDaily": "False", "lm:OWNER": "Tech", "CreateSnapshotWeekly": "True", "Exclude-Snapshot": "Daily", "account": "ss", "Name": "AZ4", "lm:ATION": "le,T, "m:NAME": "4"}}

Thanks in advance

0 Karma
1 Solution

solarboyz1
Builder

Something like?

.....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
|  timechart avg(diff) by volume_id

View solution in original post

solarboyz1
Builder

Try this....

....
 | streamstats current=f last(iops) as p_iops by volume_id
 | eval diff=iops-p_iops
 | where diff>0
 | table _time, iops, p_iops, diff
0 Karma

solarboyz1
Builder

Something like?

.....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
|  timechart avg(diff) by volume_id

vrmandadi
Builder

Hello @solarboyz1 ,
Thank You for your reply.

that is giving me totally different value .I just want to see the change that I have made today for all volume_id 's like before and after .I made the changes between 10 to 10 30 in the morning

0 Karma

solarboyz1
Builder

Soemthing like....

| timechart span=1d avg(iops) as iops
| delta iops as diff

0 Karma

vrmandadi
Builder

the avg command does the average , but what i am looking is if the value is 1000 in the morning and now it is 3000. I need to see like a table chart which has two fields before_iops and after_iops with values 1000 and 3000

0 Karma

solarboyz1
Builder

I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30

If you aren't looking to sort the results by time, then you could do something like:

| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
| where diff>0
| table _time, iops, p_iops, diff

Which will just generate show results when it changes.

0 Karma

vrmandadi
Builder

great that worked. Can you move your comment to answer.I will accept it.Thank you very much

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...