Splunk Search

## Conditional statements based on metric trends

Path Finder

This may actually be 2 questions, but I have 3 metrics I'd like to compare based on how they're trending. So......

Condition is met when metric 1 is trending up, metric 2 and metric 3 are trending down.

I'm not sure how to write a query that ascertains a trend and I'm guessing an if statement would work for the condition.

Tags (1)
1 Solution
Ultra Champion

hello there,
there are many ways to do it in Splunk. couple of commands to consider: `streamstats, detla, trendline, autoregress, accumn`
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

``````    | gentimes start=-1 increment=1m
| eval _time = starttime
| table _time
| eval v1 = random()%10
| eval v2 = random()%10
| eval v3 = random()%10
| rename COMMENT as "the above generates data below is the solution"
| delta v1 as dv1
| delta v2 as dv2
| delta v3 as dv3
| eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")
``````

hope it helps

Ultra Champion

hello there,
there are many ways to do it in Splunk. couple of commands to consider: `streamstats, detla, trendline, autoregress, accumn`
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline

As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:

``````    | gentimes start=-1 increment=1m
| eval _time = starttime
| table _time
| eval v1 = random()%10
| eval v2 = random()%10
| eval v3 = random()%10
| rename COMMENT as "the above generates data below is the solution"
| delta v1 as dv1
| delta v2 as dv2
| delta v3 as dv3
| eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")
``````

hope it helps

Path Finder

Thanks so much adonio. I'll experiment with this but looks promising.

Ultra Champion

@winknotes i converted your answer to a comment, if this works for you, kindly accept the answer and up-vote it

Get Updates on the Splunk Community!

#### Autoscaling Kubernetes Workloads with Splunk

About What if you had the ability to scale your Kubernetes pods as a result of information output from Splunk? ...

#### Discover SplunkTrust and MVP Articles, Instant Translation, and More on Splunk ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

#### Integrating Kubernetes and Splunk Observability Cloud

We need end-to-end insight into our application environments to confidently ensure everything is up and ...