Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Difference volume comparison query for the last 30...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandromatperei
Path Finder
06-16-2020
06:33 AM
Hello, I would like a support for a query to compare the values of the last 30 minutes, if it is below 80% of the volume, generate another column in red or exceed the limit.
Ex:
index="txt" "Retrieving message #"
| timechart span=30m count as server
Command Result:
| _time | server |
| 2020-06-16 08:00:00 | 857 |
| 2020-06-16 08:30:00 | 1605 |
| 2020-06-16 09:00:00 | 4507 |
| 2020-06-16 09:30:00 | 4666 |
| 2020-06-16 10:00:00 | 3798 |
In this case, the first two volumes were below expectations.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
06-16-2020
10:14 AM
Edited to add the requested third column per his original request:
If your goal is to only alert when the data in the current 30 minutes has a greater than 80% increase from the previous 30 minutes this query will accomplish that:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Here are some run anywhere examples with the two use cases you provided to show how it works
| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Same thing but with a below 80% threshhold:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
06-16-2020
10:14 AM
Edited to add the requested third column per his original request:
If your goal is to only alert when the data in the current 30 minutes has a greater than 80% increase from the previous 30 minutes this query will accomplish that:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Here are some run anywhere examples with the two use cases you provided to show how it works
| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval AboveThreshold=if(round(((server-last30)/last30),4)>.8, "True", null())
Same thing but with a below 80% threshhold:
index="txt" "Retrieving message #"
| timechart span=30m count as server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="857
1605
4507
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())| makeresults count=1
| eval server="2000
4666
3798"
| makemv server tokenizer="(?<server>\d+)"
| mvexpand server
| streamstats window=1 current=f values(server) as last30
| eval BelowThreshold=if(round(((server-last30)/last30),4)<.8, "True", null())
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
06-16-2020
07:14 AM
How is the expectation determined?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandromatperei
Path Finder
06-16-2020
08:23 AM
I would like a third column with a written value that is above the threshold or not, if it is below 80% of the previous value.
Ex:
| 2020-06-16 09:00:00 | 2000 |
| 2020-06-16 09:30:00 | 4666 |
| 2020-06-16 10:00:00 | 3798 |
In the period from 09:30 until 10:00 the volume is ok, since the data volume is above 80%. However between 09:00 and 09:30 the value was less than 80%, so I would have to alarm.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
