Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to detect a significant change in events frequency over a sliding window?

pm771
Communicator
‎05-26-2016 02:43 PM

Based on an event log we would like to find event type which frequency changed by 50% or more over a 5 min window.

Using my limited Splunk knowledge and heavy Googling, I came up with something like this:

index=index_of_events | eval cnt=1 | timechart span=20s limit=40 per_second(cnt) as ev  by ev_typeuseother=f usenull=f |
streamstats window=40 global=false first(ev) as start last(ev) as end by ev_type | 
eval diff=abs(start-end) | eval max_val=max(start, end) | 
where diff > 0 AND max > 0 | eval prc=100*diff/max_val | where prc > 50

I'm getting reasonable output after streamstats, but then I'm losing the data.

Was it OK to pipe timechart directly into streamstats? Did I need untable (or something) in between?

How do I get it right?

0 Karma
Reply

sundareshr
Legend
‎05-26-2016 03:34 PM

See if this gets you what you're looking for

index=index_of_events | bin span=5m _time | stats count by _time evtype | streamstats window=1 current=f global=f first(count) as start by evtype | eval diff=(abs(start-count)/start)*100 | where diff>50
0 Karma
Reply

pm771
Communicator
‎05-31-2016 02:15 PM

Unfortunately I do not believe it solves my problem, as it compares adjacent number of events, while I need to compare frequencies. In physics terms, I need to measure drops of speed and not distance. That's why I used per_second().

Have I missed something in your solution?

What is wrong with my query? Can it be somehow salvaged?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...