We are logging data from a number of devices which send a periodic heartbeat back to us, which among other things includes the current battery level of the device.
we would like to make some estimations about the lifespan of the battery, and already are charting the battery curve for our devices, but would like to be able to show how long the cycle from 95% - 30% is.
Of course, users could decide to charge phones up halfway through the cycle, so this would make the time artificially greater than normal.
i have tried the transaction statement, using something like:
transaction heartbeat_device_id startswith=(heartbeat_device_battery=95) endswith=(heartbeat_device_battery=30)
but as i understand it, this would not account for a 'mid-day charge'.
does anyone know of a sequence we can use to represent a transaction which ONLY decreases in value (and ignores sequences where the battery level increases) and calculate the time from start to finish?
You might have some success with streamstats.
... | streamstats global=false window=1 last(heartbeat_device_battery) as previous_battery
by heartbeat_device_id | eval delta_battery = heartbeat_device_battery - previous_battery
| where delta_battery > 0
I am not 100% confident on the search above - but the idea is to let streamstats give you events with the current and prior values within the same event - then you can do whatever maths you like to determine if it's an event you wish to keep / alter / or exactly what...