Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I compare one field from multiple resul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty new to Splunk and have been messing around with searches. However, I am struggling to get to grips with what I want to do. Is anyone able to help me please?
For this data:
20181012-163322 IagoAspas 2.15 2.09 190 Forward 78 CeltaVigo
We have the following fields:
Date Name BP SP Rank Position PosRank Club
This data gets ingested 3 times a minute, at 20 second intervals. The BP, SP, Rank & PosRank fields can change with each result.
If I wanted to compare the BP field over time for every result where Name is equal to IagoAspas, how could I do this, and then:
a) plot it on a line graph
and
b) alert when the BP field value has increased by 5% in the last 10 minutes worth of results (i.e. 3 results a minute, 30 results every 10)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@luke222010,
Does this work for you ?
a . "your search to get the fields"|chart values(BP) over Date by Name
b. "your search to get the fields" |stats first(BP) as start,last(BP) as last by Name|eval diff=((last-start)/start)*100|where diff > 5
Sample data used
Date, Name, BP, SP, Rank ,Position ,PosRank ,Club
2018-10-12 16:33:20,IagoAspas,2.15,2.09,190,Forward,78,CeltaVigo
2018-10-12 16:33:40,IagoAspas1,2.14,2.09,190,Forward,78,CeltaVigo
2018-10-12 16:34:00,IagoAspas,2.11,2.1,190,Forward,78,CeltaVigo
2018-10-12 16:34:20,IagoAspas1,2.13,2.1,190,Forward,78,CeltaVigo
2018-10-12 16:34:40,IagoAspas,2.13,2.1,190,Forward,78,CeltaVigo
2018-10-12 16:35:00,IagoAspas,2.2,2.1,190,Forward,78,CeltaVigo
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@luke222010,
Does this work for you ?
a . "your search to get the fields"|chart values(BP) over Date by Name
b. "your search to get the fields" |stats first(BP) as start,last(BP) as last by Name|eval diff=((last-start)/start)*100|where diff > 5
Sample data used
Date, Name, BP, SP, Rank ,Position ,PosRank ,Club
2018-10-12 16:33:20,IagoAspas,2.15,2.09,190,Forward,78,CeltaVigo
2018-10-12 16:33:40,IagoAspas1,2.14,2.09,190,Forward,78,CeltaVigo
2018-10-12 16:34:00,IagoAspas,2.11,2.1,190,Forward,78,CeltaVigo
2018-10-12 16:34:20,IagoAspas1,2.13,2.1,190,Forward,78,CeltaVigo
2018-10-12 16:34:40,IagoAspas,2.13,2.1,190,Forward,78,CeltaVigo
2018-10-12 16:35:00,IagoAspas,2.2,2.1,190,Forward,78,CeltaVigo
What goes around comes around. If it helps, hit it with Karma 🙂
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
