Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I generate a Report to Display any delta (By ID, by _time) in FIeld X greater than Y?

chburnett
New Member
‎12-30-2015 08:16 AM

So a sample of the data I'm working with is as follows

TImestamp | ID | Amount

2015-12-30 09:50:45 | 1 | 28668
2015-12-30 09:50:45 | 2 | 24399
2015-12-30 09:50:45 | 2 | 904
2015-12-30 09:50:45 | 4 | 39292

2015-12-30 09:55:51 | 1 | 1000
2015-12-30 09:55:51 | 2 | 1045
2015-12-30 09:55:51 | 4 | 1035

Essentially, what I'm trying to do is built a Report/Alert that will pop when any user has a variance of say... Greater than 50k between _time (data is imported about every 5-10 minutes, so that's the _time variance).

What I've got so far is something like this:

sourcetype="Log" *| table _time, ID, subAmount1, subAmount2 | eval amount=(subAmount1+subAmount2 ) | delta amount p=1 as amountVar| eval amountVar=-(amountVar)

I can search for an individual ID, and see variances properly between _time, but I'm trying to make a more generic report to simply show highlights on a daily basis for ID's which have a variance greater than a threshold between a certain number of events.

0 Karma
Reply

sundareshr
Legend
‎12-30-2015 09:15 AM

Have you looked at the range function for streamstats?

| streamstats range(Amount) as diff by ID | table ID, diff | where diff>50000
Reply

chburnett
New Member
‎12-30-2015 09:44 AM

I'd tried that, but it returns results similar to the following:

2015-12-30 11:07:38 | 1 | 50309
2015-12-30 10:47:09 | 2 | 50680
2015-12-30 10:47:07 | 2 | 50680
2015-12-30 10:57:23 | 1 | 51634
2015-12-30 10:47:07 | 3 | 52278
2015-12-30 11:17:53 | 4 | 60082
2015-12-30 11:12:45 | 4 | 60117
2015-12-30 11:12:45 | 4 | 60117
2015-12-30 11:07:39 | 4 | 60117
2015-12-30 11:07:38 | 4 | 60117

Where the range appears to be simply Max(Amount)-min(Amount) regardless of _time. The dataset changes dynamically during the day, so ideally I would have a query capable of expressing something similar to:

"For each ID, calculate the difference in Amount between each _time. If the difference between this _time and the previous _time is greater than X, Display a table for _time, ID, Amount."

The issue seems to be that it's difficult to make the query in such a manner than it looks at a delta by ID and _time, because delta is inherently calculating based on the previous event based on _time (regardless of ID, as I'm querying all IDs).

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...