Solved: How to get a trendline or show change when a value...

vrmandadi · ‎08-30-2019

How can I show change in a value of a field .For instance , I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30 as I changed the IOPS for few Volume ID's and want to track the changes .How can I show that changes in a trend for each volume_id OR SHOW WHAT WAS CHANGED LIKE WHAT WAS IT BEFORE AND WHAT WAS IT AFTER.Below is the sample events

{"account_id": "121313", "id": "vol-00a327728828ef", "create_time": "2018-05-08T05:00:00.173Z", "type": "gp2", "attach_data": {"status": "attached", "id": "vol-00a327728828ef", "device": "/dev/sdg", "instance_id": "i-xxxxxxxxxx", "deleteOnTermination": "true", "attach_time": "2018-05-08T05:00:01.000Z"}, "region": "usx", "status": "in-use", "snapshot_id": "snap-xxxxxxxx", "zone": "us-east-1e", "encrypted": true, "size": 1330, **"iops": 3990**, "tags": {"lm:ENVIRONMENT": "Test", "Patch Group": "db", "LM-Snapshot": "weekly", "ssm-patch": "yes", "lm:APPID": "9,3", "lm:PROJECT": "68", "CreateSnapshotDaily": "False", "lm:OWNER": "Tech", "CreateSnapshotWeekly": "True", "Exclude-Snapshot": "Daily", "account": "ss", "Name": "AZ4", "lm:ATION": "le,T, "m:NAME": "4"}}

{"account_id": "121313", "id": "vol-00a327728828ef", "create_time": "2018-05-08T05:00:00.173Z", "type": "gp2", "attach_data": {"status": "attached", "id": "vol-00a327728828ef", "device": "/dev/sdg", "instance_id": "i-xxxxxxxxxx", "deleteOnTermination": "true", "attach_time": "2018-05-08T05:00:01.000Z"}, "region": "usx", "status": "in-use", "snapshot_id": "snap-xxxxxxxx", "zone": "us-east-1e", "encrypted": true, "size": 1330, **"iops": 1000**, "tags": {"lm:ENVIRONMENT": "Test", "Patch Group": "db", "LM-Snapshot": "weekly", "ssm-patch": "yes", "lm:APPID": "9,3", "lm:PROJECT": "68", "CreateSnapshotDaily": "False", "lm:OWNER": "Tech", "CreateSnapshotWeekly": "True", "Exclude-Snapshot": "Daily", "account": "ss", "Name": "AZ4", "lm:ATION": "le,T, "m:NAME": "4"}}

Thanks in advance

solarboyz1 · ‎08-30-2019

Something like?

.....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
|  timechart avg(diff) by volume_id

View solution in original post

solarboyz1 · ‎08-30-2019

Try this....

....
 | streamstats current=f last(iops) as p_iops by volume_id
 | eval diff=iops-p_iops
 | where diff>0
 | table _time, iops, p_iops, diff

solarboyz1 · ‎08-30-2019

Something like?

.....
| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
|  timechart avg(diff) by volume_id

vrmandadi · ‎08-30-2019

Hello @solarboyz1 ,
Thank You for your reply.

that is giving me totally different value .I just want to see the change that I have made today for all volume_id 's like before and after .I made the changes between 10 to 10 30 in the morning

solarboyz1 · ‎08-30-2019

Soemthing like....

| timechart span=1d avg(iops) as iops
| delta iops as diff

vrmandadi · ‎08-30-2019

the avg command does the average , but what i am looking is if the value is 1000 in the morning and now it is 3000. I need to see like a table chart which has two fields before_iops and after_iops with values 1000 and 3000

solarboyz1 · ‎08-30-2019

I have a field called volume_id =vol-0h8383hjk and has iops=3990 at 9AM and and the same volume_id has value 1000 at at 11:30

If you aren't looking to sort the results by time, then you could do something like:

| streamstats current=f last(iops) as p_iops by volume_id
| eval diff=iops-p_iops
| where diff>0
| table _time, iops, p_iops, diff

Which will just generate show results when it changes.

vrmandadi · ‎08-30-2019

great that worked. Can you move your comment to answer.I will accept it.Thank you very much

How to get a trendline or show change when a value of a field is changed?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk