Splunk Search

How to generate a search to report on gradual changes in value over time?

New Member

Hi

I would like to display the time stamp of the events when there is gradual change in the value. Here is the sample of data.

Time     Price
10:00   15
10:01   14
10:02   12
10:03   15
10:04   14
10:05   13
10:06   9
10:07   7
10:08   8
10:09   6
10:10   5
10:11   4
10:12   13
10:13   12
10:14   14
10:15   4
10:16   9
10:17   8
10:18   6
10:19   5
10:20   1
10:13   12
10:14   14
10:15   12

I would expect to see the output as "Decline" at "10:06 to 10:11" and "10:15 to 10:20" . Can it be Splunked?

Thanks,

0 Karma

SplunkTrust
SplunkTrust

Will something like work for you?

your current search giving field Time Price
| streamstats current=f window=1 values(Price) as prev_price
| eval Result=case(Price<prev_price,"Decline",Price>prev_price,"Increase",1=1,"No Change") | fields - prev_price

You can update the text that you want to show during increase or no change to blank.

0 Karma

New Member

I updated the query with the criteria and using transaction to get the duration of the event. But for some reason duration is showing 0. How can I create a query to get the Results counting "Decline" > 5 , get start and end time of the events.
"Decline Time 1" "10:06 to 10:11"
"Decline Time 2" "10:15 to 10:20"

 | streamstats current=f window=1 values(Price) as prev_price 
 | eval Result=case(Price<10,"Decline",Price>10,"Increase",1=1,"No Change")
 | transaction  startswith=Result=Decline endswith=Result=Decline 
 | table Time Result Price duration

Thanks

0 Karma

New Member

Thanks, query looks good but the output is not as desired. I might need to do eval and look for avg and do comparison.

Price Result Expected
15 Increase

14 Increase

12 Decline
15 Increase

14 Increase

13 Increase

9 Increase Decline
7 Decline Decline
8 Increase Decline
6 Increase Decline
5 Increase Decline
4 Decline Decline
13 Increase

12 Decline
12 No Change

14 Increase

14 No Change

12 Increase

4 Decline Decline
9 Increase Decline
8 Increase Decline
6 Increase Decline
5 Increase Decline
1 No Change Decline

0 Karma

SplunkTrust
SplunkTrust

What should be criteria? From you example, you only want to show Decline. Do you have any threshold for percent change OR a number? If yes, you just need to update the case statement accordingly.

0 Karma