Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find traffic change from a search?

phularah
Communicator
‎04-26-2023 11:53 PM

I have a search and resultant output like shown below:
search is --> eventtype=cacti:mirage host=onl-cacti-02 rrdn=traffic_in host_id IN (215) ldi IN (9069,9070,9071,9073,9074,9075,9077,9078,9079)
hostname IN (slrmpqfh-c1mpt-01-owmlb01)
| reverse
| streamstats current=t window=2 global=f range(_time) as deltaTime range(rrdv) AS rrd_value_delta by name_cache
| eval isTraffic = if(like(rrdn,"%traffic%"),1,0)
| eval kpi = if(isTraffic==1,rrd_value_delta*8/deltaTime/1024/1024/1024,rrd_value_delta/deltaTime)
| noop feature_flag=stats:allow_stats_v2:false
| timechart span=5m limit=0 useother=f list(kpi) as kpi by name_cache

phularah_0-1682577348835.png

What I want to have are new fields fe01, fe02 and so on that would give the percentage change in value for each of the fields. I know timechart is not the command to use here. I tried eventstats and streamstats but wasn't able to do what I wanted.

Each ldi in my search corresponds to a unique name_cache. and host_id corresponds to a unique hostname. It is easy to filter data via ldi and host_id fields than typing long and complicated name_cache and hostname fields.


e.g., the new field FE01 should be like ((1.21-1.33)/1.21-(1.21-1.33))*100 and same formula for other fields.
It means, new fields FE01, FE02 and so on would show the traffic change percent.

@somesoni2 @andrewtrobec @lakshman239 @efavreau @phanTom @diogofgm @woodcock 

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phularah
Communicator
‎04-28-2023 04:29 AM

Nevermind, I was able to solve it by myself.

eventtype=cacti:mirage host=onl-cacti-02 rrdn=traffic_in host_id IN (215) ldi IN (9069,9070,9071,9073,9074,9075,9077,9078,9079)
hostname IN (slrmpqfh-c1mpt-01-owmlb01)
| reverse
| streamstats current=t window=2 global=f range(_time) as deltaTime range(rrdv) AS rrd_value_delta by name_cache
| eval isTraffic = if(like(rrdn,"%traffic%"),1,0)
| eval kpi = if(isTraffic==1,rrd_value_delta*8/deltaTime/1024/1024/1024,rrd_value_delta/deltaTime)

| streamstats current=f window=2 global=f last(kpi) as previouskpi by name_cache
| eval change=round(((kpi-previouskpi)/previouskpi)*100,2)

| noop feature_flag=stats:allow_stats_v2:false
| timechart span=5m limit=0 useother=f first(change) as change_percent list(kpi) as kpi by name_cache

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phularah
Communicator
‎04-28-2023 04:29 AM

Nevermind, I was able to solve it by myself.

eventtype=cacti:mirage host=onl-cacti-02 rrdn=traffic_in host_id IN (215) ldi IN (9069,9070,9071,9073,9074,9075,9077,9078,9079)
hostname IN (slrmpqfh-c1mpt-01-owmlb01)
| reverse
| streamstats current=t window=2 global=f range(_time) as deltaTime range(rrdv) AS rrd_value_delta by name_cache
| eval isTraffic = if(like(rrdn,"%traffic%"),1,0)
| eval kpi = if(isTraffic==1,rrd_value_delta*8/deltaTime/1024/1024/1024,rrd_value_delta/deltaTime)

| streamstats current=f window=2 global=f last(kpi) as previouskpi by name_cache
| eval change=round(((kpi-previouskpi)/previouskpi)*100,2)

| noop feature_flag=stats:allow_stats_v2:false
| timechart span=5m limit=0 useother=f first(change) as change_percent list(kpi) as kpi by name_cache

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...