Solved: How to only show when a value changes?

andynewsoncap · ‎08-15-2022

Hello,

I have data being gather one per min.

FYI its disk usage %.

Is it possible to create an SPL that output simple time from _time and UsePct every time UsePct changes.

Not dedup it well yes but only when it (UsePct) changes. So if on a give date / hour / min it goes up or down. I can track the change.

i.e.

2022-08-15 07:54:29

100%

2022-08-15 07:55:29

100%

2022-08-15 07:56:29

100%

2022-08-15 07:57:29

100%

2022-08-15 07:58:29

99%

2022-08-15 08:00:29

100%

2022-08-15 08:01:29

100%

2022-08-15 08:02:29

100%

For this i would see

2022-08-15 07:57:29

100%

2022-08-15 07:58:29

99%

2022-08-15 07:59:29

100%

Close as i can get it this

((index=windows OR index=perfmon OR index=os*) tag=oshost tag=performance tag=storage) host=by0saq Filesystem="/dev/mapper/vgappl-_u01_app"
| eval date=strftime(_time,"%x")
| sort _time
| table date UsePct
| dedup date

Thanks.

ITWhisperer · ‎08-15-2022

If UsePct is already numeric, then you don't need to extract the digits

Also, 07:57:29 would not be in your results because it doesn't differ from 07:56:29

| rex field=UsePct "(?<UsePct>\d+)%"
| sort 0 _time
| streamstats range(UsePct) as change window=2
| where change > 0

View solution in original post

ITWhisperer · ‎08-15-2022

If UsePct is already numeric, then you don't need to extract the digits

Also, 07:57:29 would not be in your results because it doesn't differ from 07:56:29

| rex field=UsePct "(?<UsePct>\d+)%"
| sort 0 _time
| streamstats range(UsePct) as change window=2
| where change > 0

How to only show when a value changes?

using Splunk Enterprise

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk