Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate same event in two different times

tdnguyen1
Explorer
‎11-09-2011 10:02 AM

Hi,

I am new two splunk. I am wondering is there a way to calculate the delta of RXdropped from 5 minutes apart.

10:50:00 RXdropped
123

10:55:00 RXdropped
456

Tags (1)
Reply

tdnguyen1
Explorer
‎11-09-2011 01:30 PM

I did this it seems to work for now.

index=os sourcetype="interfaces" host="prdcg4mdbl03.oss.prd" | multikv | eval PercError_PacketLoss=round(((Error * 100)/(RXbytes+TXbytes)),1) | eval StatusError = if(PercError_PacketLoss >= 1.0, "WARNING", "OK") | eval PercRX_PacketLoss=round(((RXdropped * 100)/RXbytes),1) | eval PercTX_PacketLoss=round(((TXdropped * 100)/TXbytes),1) | eval StatusRX = if(PercRX_PacketLoss >= 1.0, "WARNING", "OK") | eval StatusTX = if(PercTX_PacketLoss >= 1.0, "WARNING", "OK") | table time Name StatusError PercError_PacketLoss StatusRX PercRX_PacketLoss StatusTX PercTX_PacketLoss

Reply

Jon_Webster
Splunk Employee
Splunk Employee
‎11-09-2011 10:27 AM

Hello! Welcome to Splunk!

If you download the *NIX App, you'll find there is a dashboard for network traffic.
Here's the link: http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux

This is the search that the *nix app uses:

index="os" sourcetype="interfaces" host=*  | multikv fields name, inetAddr, RXbytes, TXbytes  | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name   | eval time=_time  | strcat Name "-" inetAddr "@" host Interface_Host  | eval RX_Thruput = lastRX-RXbytes  | eval TX_Thruput = lastTX-TXbytes  | timechart eval(sum(TX_Thruput)/dc(time)) by Interface_Host

In the "streamstats" function, it's creating two new fields: last(Txbytes) as lastTX, and last(Rxbytes) as lastRX. Later it subtracts the last value from the current value with:
Eval RX_Thruput=lastRX-Rxbytes

The last() function gets the most recent value of a field and adds it to the current event. Remember that the default order of events in Splunk is reverse chronological order, so when an event gets the "last" value of a field it's getting it from a later time, so subtracting the "current" value from the "last" value give us the difference, which is the throughput for the period.

Best regards,
Jon

0 Karma
Reply

Jon_Webster
Splunk Employee
Splunk Employee
‎11-09-2011 03:25 PM

It is calculating the delta.
This eval statement subtracts Rxbytes from lastRX and assigns the result to RX_Thruput. 

eval RX_Thruput=lastRX-Rxbytes

In other words: 

lastRX (456) - Rxbytes (123) = RX_Thruput (333)

It's not using RXdropped, but if you use RXdropped you'll get the results you want.

0 Karma
Reply

tdnguyen1
Explorer
‎11-09-2011 01:30 PM

For some reasons, I could not get the right result using your query.

0 Karma
Reply

tdnguyen1
Explorer
‎11-09-2011 11:23 AM

Hi Jon,

Thanks for your fast response. I really appreciated that. The result is not what I expected. I am looking for the delta. Something like this.

456 - 123 = 333

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...