- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Conditional statements based on metric trends
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may actually be 2 questions, but I have 3 metrics I'd like to compare based on how they're trending. So......
Condition is met when metric 1 is trending up, metric 2 and metric 3 are trending down.
I'm not sure how to write a query that ascertains a trend and I'm guessing an if statement would work for the condition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
there are many ways to do it in Splunk. couple of commands to consider: streamstats, detla, trendline, autoregress, accumn
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline
As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:
| gentimes start=-1 increment=1m
| head 10
| eval _time = starttime
| table _time
| eval v1 = random()%10
| eval v2 = random()%10
| eval v3 = random()%10
| rename COMMENT as "the above generates data below is the solution"
| delta v1 as dv1
| delta v2 as dv2
| delta v3 as dv3
| eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
there are many ways to do it in Splunk. couple of commands to consider: streamstats, detla, trendline, autoregress, accumn
look here for example: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline
As there are many other ways to do this, here is a very simplified version of what i understand you are trying to achieve:
| gentimes start=-1 increment=1m
| head 10
| eval _time = starttime
| table _time
| eval v1 = random()%10
| eval v2 = random()%10
| eval v3 = random()%10
| rename COMMENT as "the above generates data below is the solution"
| delta v1 as dv1
| delta v2 as dv2
| delta v3 as dv3
| eval alert = if(dv1 > 0 AND dv2 < 0 AND dv3 < 0,"ALERT","OK")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much adonio. I'll experiment with this but looks promising.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@winknotes i converted your answer to a comment, if this works for you, kindly accept the answer and up-vote it
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
