Splunk Search

## Conditional statements based on metric trends

Path Finder

This may actually be 2 questions, but I have 3 metrics I'd like to compare based on how they're trending. So......

Condition is met when metric 1 is trending up, metric 2 and metric 3 are trending down.

I'm not sure how to write a query that ascertains a trend and I'm guessing an if statement would work for the condition.

Tags (1)
1 Solution
Ultra Champion

hello there,
there are many ways to do it in Splunk. couple of commands to consider: `streamstats, detla, trendline, autoregress, accumn`
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

``````    | gentimes start=-1 increment=1m
| eval _time = starttime
| table _time
| eval v1 = random()%10
| eval v2 = random()%10
| eval v3 = random()%10
| rename COMMENT as "the above generates data below is the solution"
| delta v1 as dv1
| delta v2 as dv2
| delta v3 as dv3
| eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")
``````

hope it helps

Ultra Champion

hello there,
there are many ways to do it in Splunk. couple of commands to consider: `streamstats, detla, trendline, autoregress, accumn`
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

``````    | gentimes start=-1 increment=1m
| eval _time = starttime
| table _time
| eval v1 = random()%10
| eval v2 = random()%10
| eval v3 = random()%10
| rename COMMENT as "the above generates data below is the solution"
| delta v1 as dv1
| delta v2 as dv2
| delta v3 as dv3
| eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")
``````

hope it helps

Path Finder

Thanks so much adonio. I'll experiment with this but looks promising.

Ultra Champion

@winknotes i converted your answer to a comment, if this works for you, kindly accept the answer and up-vote it

Get Updates on the Splunk Community!

#### Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

#### New This Month - More Capabilities to Simplify GDI Plus Enhancements in Observability ...

The latest enhancements to the Observability Portfolio deliver more assisted onboarding and expanded content ...

#### Ingest Actions Output Announces Support for File System Destinations

Introduction As part of Splunk Enterprise 9.3, we are proud to announce the general availability of File ...