Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check the gradual increase of the value of a field which crosses 3 time increment

akarivaratharaj
Communicator
‎03-26-2019 10:21 AM

I have a requirement, where I need to display name of an queue, for which the size of the queue is keep on increasing. Basically I am searching for every 15 minutes, to check in each 5 minutes of time span, what is the size of my queue. If the size of the queue in each 5 minutes shows some gradual increase, I want that queue to be displayed. There may be the case first 10 minutes, it increase and again the 3rd time it may decrease. I dont want that kind of information. For example
Queue Name: XY
Size of the Queue in last 15 minutes:
1st 5 minute size - 10
2nd 5 minute size - 20
3rd 5 minute size - 30
4th 5 minute size - 35, etc.,

So in this kind of situation I want to check only the 15 minutes with 5 minutes time span and see whether there is any increment in the value of the field. If there is a positive growth in continuous 3 times, then I need to display that particular queue.

I have checked that streamstats will be helpful in this case. Can anyone please suggest me on this?

0 Karma
Reply

adonio
Ultra Champion
‎03-26-2019 11:55 AM

try this anywhere:

| gentimes start=-1 increment=5m
| head 20
| eval _time = starttime 
| eval queue = "queue1"
| table _time queue
| eval value = random()%20 + 20
| streamstats current=f window=1 last(value) as prev_value
| streamstats current=f window=1 last(prev_value) as prev_prev_value
| eval growing =  if(value > prev_value AND prev_value > prev_prev_value,1,0)

look for where growing has a value of 1

note: might be other better and cleaner ways to achieve

0 Karma
Reply

akarivaratharaj
Communicator
‎04-01-2019 10:03 PM

Hi @adonio , I have tried this method but it is not giving me the expected one. Below is my current search query. Here we are comparing the current depth of the queue with a threshold limit which is fed through a lookup file. If possible please let me know any other ways to achieve this.

earliest=-5m@m index=* sourcetype=* host=prod*
|stats latest(DEPTH) AS "QueueDepth" latest(AGE) as "MessageAge" by QUEUE, _time
| lookup Queue_Threshold.csv  QUEUE OUTPUT THRESHOLD_DEPTH, THRESHOLD_AGE
|eval Behaviour=case((QueueDepth > THRESHOLD_DEPTH AND MessageAge > THRESHOLD_AGE),"Abnormal",MessageAge > THRESHOLD_AGE, "Abnormal", 1=1,"Normal")  
| search Behaviour="Abnormal"  AND QueueDepth > 0
|stats latest(QueueDepth) as QueueDepth, latest(MessageAge) as MessageAge, max(THRESHOLD_DEPTH) as NormalThresholdQueueDepth, max(THRESHOLD_AGE) as NormalThresholdMessageAge  by  QUEUE
0 Karma
Reply

akarivaratharaj
Communicator
‎04-02-2019 08:28 PM

Hi @vnravikumar ,
Any suggestions on this?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...