Splunk Search

How do you compare the same field in two different time periods?

Path Finder

We have events from several hosts. We want to get the difference in the value of the field between two different times by each host and process. And also compare those two Values and display only those values which are higher than those of the previous time period.

  index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process  counter="Private_Bytes"  earliest=-15m@m latest=-5m@m|stats avg(Value) AS Val1 by host process_name | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process  counter="Private_Bytes"  earliest=-5m@m latest=@m]

I have tried this in some other ways too, but I am not able to display the Value for the current time period.

0 Karma

SplunkTrust
SplunkTrust

Hi @omprakash9998

Give this a try

index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
| stats avg(Value) AS older by host process_name 
| append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
| stats latest(older) as older latest(newer) as newer by host process_name
| where newer > older

A better way would be to use something like bins to bucket your samples into groups, but the above should suffice

Path Finder

Hi @chrisyoungerjds

The search returns "No results found". But there is a definite difference if the Value for the two time periods. i ran them individually and checked.

Thanks,
om

0 Karma

SplunkTrust
SplunkTrust

If you cut the search down to this, does it work?

 index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
 | stats avg(Value) AS older by host process_name 
 | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
 | stats latest(older) as older latest(newer) as newer by host process_name
0 Karma

Path Finder

Now, it is populating the table with the fields host, process_name, older and newer. But the Older and newer columns are empty.

0 Karma

Path Finder
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
  | stats avg(Value) AS older by host process_name 
  | join [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
  | table host, process_name, older, newer

i used join in the place of append and used the table command at the end instead of stats and it works for now.

0 Karma