Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Difference volume comparison query for the las...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandromatperei
Path Finder
06-16-2020
06:33 AM
Hello, I would like a support for a query to compare the values of the last 30 minutes, if it is below 80% of the volume, generate another column in red or exceed the limit.
Ex:
index="txt" "Retrieving message #"
| timechart span=30m count as server
Command Result:
| _time | server |
| 2020-06-16 08:00:00 | 857 |
| 2020-06-16 08:30:00 | 1605 |
| 2020-06-16 09:00:00 | 4507 |
| 2020-06-16 09:30:00 | 4666 |
| 2020-06-16 10:00:00 | 3798 |
In this case, the first two volumes were below expectations.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
06-16-2020
10:14 AM
Edited to add the requested third column per his original request:
If your goal is to only alert when the data in the current 30 minutes has a greater than 80% increase from the previous 30 minutes this query will accomplish that:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Here are some run anywhere examples with the two use cases you provided to show how it works
| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Same thing but with a below 80% threshhold:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
06-16-2020
10:14 AM
Edited to add the requested third column per his original request:
If your goal is to only alert when the data in the current 30 minutes has a greater than 80% increase from the previous 30 minutes this query will accomplish that:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Here are some run anywhere examples with the two use cases you provided to show how it works
| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Same thing but with a below 80% threshhold:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
06-16-2020
07:14 AM
How is the expectation determined?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandromatperei
Path Finder
06-16-2020
08:23 AM
I would like a third column with a written value that is above the threshold or not, if it is below 80% of the previous value.
Ex:
| 2020-06-16 09:00:00 | 2000 |
| 2020-06-16 09:30:00 | 4666 |
| 2020-06-16 10:00:00 | 3798 |
In the period from 09:30 until 10:00 the volume is ok, since the data volume is above 80%. However between 09:00 and 09:30 the value was less than 80%, so I would have to alarm.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
What Is Splunk? Here’s What You Can Do with Splunk
Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...
Level Up Your .conf25: Splunk Arcade Comes to Boston
With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...
