Splunk Search

Conditional statements based on metric trends

winknotes
Explorer

This may actually be 2 questions, but I have 3 metrics I'd like to compare based on how they're trending. So......

Condition is met when metric 1 is trending up, metric 2 and metric 3 are trending down.

I'm not sure how to write a query that ascertains a trend and I'm guessing an if statement would work for the condition.

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

hello there,
there are many ways to do it in Splunk. couple of commands to consider: streamstats, detla, trendline, autoregress, accumn
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

    | gentimes start=-1 increment=1m
    | head 10
    | eval _time = starttime
    | table _time
    | eval v1 = random()%10
    | eval v2 = random()%10
    | eval v3 = random()%10
    | rename COMMENT as "the above generates data below is the solution" 
    | delta v1 as dv1 
    | delta v2 as dv2
    | delta v3 as dv3
    | eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

hello there,
there are many ways to do it in Splunk. couple of commands to consider: streamstats, detla, trendline, autoregress, accumn
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

    | gentimes start=-1 increment=1m
    | head 10
    | eval _time = starttime
    | table _time
    | eval v1 = random()%10
    | eval v2 = random()%10
    | eval v3 = random()%10
    | rename COMMENT as "the above generates data below is the solution" 
    | delta v1 as dv1 
    | delta v2 as dv2
    | delta v3 as dv3
    | eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")

hope it helps

0 Karma

winknotes
Explorer

Thanks so much adonio. I'll experiment with this but looks promising.

0 Karma

adonio
Ultra Champion

@winknotes i converted your answer to a comment, if this works for you, kindly accept the answer and up-vote it

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...