Splunk Search

How to create query for count over time of a field value decreasing?

smahoney
Path Finder

I have metrics that are basically
_time host1 monitor_count=2
_time host1 monitor_count=1

This is over different hosts and dynamic monitor_count values.  What I want to do is make a query that counts the amount of times the monitor_count depreciated over a given time range.

So if host 1 throttles back and forth between 2 and 1, how many times did that happen?

I'm trying many options of streamstats with window=2 earliest(monitor_count) as prev_count by host, but that doesn't seem to be working.  When it drops from 2 to 1, a 1 is recorded for previous and current to that time range.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| sort 0 _time
| streamstats current=f window=1 earliest(monitor_count) as prev_count global=f by host
0 Karma

smahoney
Path Finder

That just returns the current value as the window is 1 and current is false.

I could never get streamstats to work so ended up using a join so set the monitor cap.  Its not optimal, but can't figure out why streamstats cant compare 2 numeric values in a window of 2.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a runanywhere example showing that prev_count is the count from the previous host.

| gentimes start=-1 increment=1h 
| rename starttime as _time 
| eval monitor_count=random()%10
| eval host=mvindex(split("ABC",""),random()%3) 
| streamstats current=f window=1 earliest(monitor_count) as prev_count global=f by host
| fields _time host monitor_count prev_count
0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...