Splunk Search

How to create a timechart that takes the remainder of a field value and add it to the previous bucket?

jfraiberg
Communicator

I have the following metrics:

date:01 yada yada yada total 80
date:02 yada yada yada total 120
date:03 yada yada yada total 50
date:04 yada yada yada total 110
date:05 yada yada yada total 40

I need a timechart that will take the remainder of the total (anything over 100) and add it to the total of the previous minute. e.g.

should end up looking like so:

date:01 yada yada yada total 100
date:02 yada yada yada total 100
date:03 yada yada yada total 60
date:04 yada yada yada total 100
date:05 yada yada yada total 40
Tags (1)
0 Karma
1 Solution

niketn
Legend

Extending the run anywhere example by @DalJeanis

 | gentimes start="03/01/2017:00:00:00" end="03/15/2017:00:00:00" increment=1d 
 | eval _time = starttime 
 | eval daytrans = 25+random() % 140 
 | table _time daytrans

Following query using streamstats should work adjustedtrans is the field that has required values (however, this will do only one time adjustment. As, after adding to the previous total, total for that timeframe might cross 100):

| streamstats current=f window=1 values(daytrans) as prevtrans
| reverse
| eval adjustedtrans=if(prevtrans>100, prevtrans-100 + daytrans,daytrans)
| table _time daytrans prevtrans adjustedtrans
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Extending the run anywhere example by @DalJeanis

 | gentimes start="03/01/2017:00:00:00" end="03/15/2017:00:00:00" increment=1d 
 | eval _time = starttime 
 | eval daytrans = 25+random() % 140 
 | table _time daytrans

Following query using streamstats should work adjustedtrans is the field that has required values (however, this will do only one time adjustment. As, after adding to the previous total, total for that timeframe might cross 100):

| streamstats current=f window=1 values(daytrans) as prevtrans
| reverse
| eval adjustedtrans=if(prevtrans>100, prevtrans-100 + daytrans,daytrans)
| table _time daytrans prevtrans adjustedtrans
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
Legend

I don't have an elegant solution yet, but for anyone who wants to take a stab at it, here's some run-anywhere code that mocks up test data.

| gentimes start="03/01/2017:00:00:00" end="03/15/2017:00:00:00" increment=1d 
| eval _time = starttime 
| eval daytrans = 25+random() % 140 
| table _time daytrans
0 Karma

niketn
Legend

@jfraiberg ... What if after adjusting the total the previous minute total goes above 100? Does it need to be adjusted again?

Also if you can provide a context around purpose of this or your search query and/or mocked up data/fields that will also be useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...