Solved: Re: How to filter a record among multiple events

febbi · ‎01-31-2021

I have a table like in splunk this:

appname	value	time
app1	10	2020-12-30
app1	12	2020-12-31
app2	23	2020-12-30
app2	20	2020-12-31

I want to filter the records that the value is increasing while the time. In this case, we can only find

(app1, 12 2020-12-31)

How could I write the splunk sql to implement this?

tread_splunk · ‎02-02-2021

No problem. The solution I posted works for multiple rows per app.

Just add...

| streamstats count by app
| eval count="Row ".count
| xyseries app count value

Definitely worth getting to grips with xyseries and untable commands.

View solution in original post

tread_splunk · ‎01-31-2021

index=_internal 
| rename sourcetype as app 
| timechart count span=5m by app partial=f limit=0 
| untable _time,app,count 
| sort app,_time,count 
| streamstats count as counter by app
| eventstats count as total by app 
| streamstats sum(count) as prevCount by app window=1 current=f global=f 
| eval delta=count-prevCount 
| where counter=total AND delta>0

How about this? Lines 1-5 are to create some test data. The rest is the solution.

tread_splunk · ‎02-01-2021

I've used

| streamstats sum(count) as prevCount by app window=1 current=f global=f

...instead of delta because I've assumed you want / need the "by app" clause.

I've also assumed you only want to know when the most recent event (per app) has a larger value than the previous event

febbi · ‎02-02-2021

Thanks for your answer, but it still doesn't work for me.

Are there ant ways to convert the table to

appname	row1	row2
app1	10	12
app2	23	30

Then I can compare the "row1 < row2".

Thanks again

tread_splunk · ‎02-02-2021

Will each app (app1, app2 etc) only ever have 2 values?

febbi · ‎02-02-2021

Each app may have several values, we need to convert the values to different columns according to the same app.

tread_splunk · ‎02-02-2021

No problem. The solution I posted works for multiple rows per app.

Just add...

| streamstats count by app
| eval count="Row ".count
| xyseries app count value

Definitely worth getting to grips with xyseries and untable commands.

febbi · ‎02-02-2021

It works for me!, Thanks very much!

tread_splunk · ‎02-02-2021

index=_internal 
| rename sourcetype as app 
| timechart count span=5m by app partial=f limit=0 
| untable _time,app,count 
| sort app, _time 
| streamstats count as counter by app 
| eventstats count as total by app 
| where counter=1 OR counter=total 
| table app count _time 
| rename count as value 
| streamstats count by app 
| eval count="Row ".count 
| xyseries app count value

Assuming you only have 2 rows per app, and you already have the data as per your table, then you just need the last 3 lines in the above. Everything above that is to generate some test data in the same format as your table.

scelikok · ‎01-31-2021

Hi @febbi,

Please try below;

| sort time
| delta value as value_diff
| where value_diff > 0

If this reply helps you an upvote and "Accept as Solution" is appreciated.

febbi · ‎02-02-2021

Thanks for your answer, but it still doesn't work for me.

Are there ant ways to convert the table to

appname	row1	row2
app1	10	12
app2	23	30

Then I can compare the "row1 < row2".

Thanks again

How to filter a record among multiple events

lookup

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?