Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to only show when a value changes?

andynewsoncap
Engager
‎08-15-2022 07:12 AM

Hello,

I have data being gather one per min.  

FYI its disk usage %.

Is it possible to create an SPL that output simple time from _time and UsePct every time UsePct changes.

Not dedup it well yes but only when it (UsePct) changes.  So if on a give date / hour / min it goes up or down.  I can track the change.

i.e.

2022-08-15 07:54:29 100%
2022-08-15 07:55:29 100%
2022-08-15 07:56:29 100%
2022-08-15 07:57:29 100%
2022-08-15 07:58:29 99%
2022-08-15 08:00:29 100%
2022-08-15 08:01:29 100%
2022-08-15 08:02:29 100%

 

For this i would see 

2022-08-15 07:57:29 100%
2022-08-15 07:58:29 99%
2022-08-15 07:59:29 100%

Close as i can get it this

((index=windows OR index=perfmon OR index=os*) tag=oshost tag=performance tag=storage) host=by0saq Filesystem="/dev/mapper/vgappl-_u01_app"
| eval date=strftime(_time,"%x")
| sort _time
| table date UsePct
| dedup date

 

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2022 07:26 AM

If UsePct is already numeric, then you don't need to extract the digits

Also, 07:57:29 would not be in your results because it doesn't differ from 07:56:29

| rex field=UsePct "(?<UsePct>\d+)%"
| sort 0 _time
| streamstats range(UsePct) as change window=2
| where change > 0

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2022 07:26 AM

If UsePct is already numeric, then you don't need to extract the digits

Also, 07:57:29 would not be in your results because it doesn't differ from 07:56:29

| rex field=UsePct "(?<UsePct>\d+)%"
| sort 0 _time
| streamstats range(UsePct) as change window=2
| where change > 0
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...