Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difference volume comparison query for the last 30 minutes

leandromatperei
Path Finder
‎06-16-2020 06:33 AM

Hello, I would like a support for a query to compare the values ​​of the last 30 minutes, if it is below 80% of the volume, generate another column in red or exceed the limit.

Ex:

index="txt" "Retrieving message #"
| timechart span=30m count as server

Command Result:

_timeserver
2020-06-16 08:00:00857
2020-06-16 08:30:001605
2020-06-16 09:00:004507
2020-06-16 09:30:004666
2020-06-16 10:00:003798

In this case, the first two volumes were below expectations.
 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎06-16-2020 10:14 AM

Edited to add the requested third column per his original request:

If your goal is to only alert when the data in the current 30 minutes has a greater than 80% increase from the previous 30 minutes this query will accomplish that:

 

index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())

 

Here are some run anywhere examples with the two use cases you provided to show how it works

 

| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())

 

Same thing but with a below 80% threshhold:

index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎06-16-2020 10:14 AM

Edited to add the requested third column per his original request:

If your goal is to only alert when the data in the current 30 minutes has a greater than 80% increase from the previous 30 minutes this query will accomplish that:

 

index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())

 

Here are some run anywhere examples with the two use cases you provided to show how it works

 

| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())

 

Same thing but with a below 80% threshhold:

index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-16-2020 07:14 AM
How is the expectation determined?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

leandromatperei
Path Finder
‎06-16-2020 08:23 AM

I would like a third column with a written value that is above the threshold or not, if it is below 80% of the previous value.

Ex:

2020-06-16 09:00:002000
2020-06-16 09:30:004666
2020-06-16 10:00:003798


In the period from 09:30 until 10:00 the volume is ok, since the data volume is above 80%. However between 09:00 and 09:30 the value was less than 80%, so I would have to alarm.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...