Re: Query for count over time of a field value dec...

smahoney · ‎07-28-2022

I have metrics that are basically
_time host1 monitor_count=2
_time host1 monitor_count=1

This is over different hosts and dynamic monitor_count values. What I want to do is make a query that counts the amount of times the monitor_count depreciated over a given time range.

So if host 1 throttles back and forth between 2 and 1, how many times did that happen?

I'm trying many options of streamstats with window=2 earliest(monitor_count) as prev_count by host, but that doesn't seem to be working. When it drops from 2 to 1, a 1 is recorded for previous and current to that time range.

ITWhisperer · ‎07-28-2022

Try something like this

| sort 0 _time
| streamstats current=f window=1 earliest(monitor_count) as prev_count global=f by host

smahoney · ‎07-29-2022

That just returns the current value as the window is 1 and current is false.

I could never get streamstats to work so ended up using a join so set the monitor cap. Its not optimal, but can't figure out why streamstats cant compare 2 numeric values in a window of 2.

ITWhisperer · ‎07-29-2022

Here is a runanywhere example showing that prev_count is the count from the previous host.

| gentimes start=-1 increment=1h 
| rename starttime as _time 
| eval monitor_count=random()%10
| eval host=mvindex(split("ABC",""),random()%3) 
| streamstats current=f window=1 earliest(monitor_count) as prev_count global=f by host
| fields _time host monitor_count prev_count

How to create query for count over time of a field value decreasing?

stats

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann