- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How would I generate a Report to Display any delta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would I generate a Report to Display any delta (By ID, by _time) in FIeld X greater than Y?
So a sample of the data I'm working with is as follows
TImestamp | ID | Amount
2015-12-30 09:50:45 | 1 | 28668
2015-12-30 09:50:45 | 2 | 24399
2015-12-30 09:50:45 | 2 | 904
2015-12-30 09:50:45 | 4 | 39292
2015-12-30 09:55:51 | 1 | 1000
2015-12-30 09:55:51 | 2 | 1045
2015-12-30 09:55:51 | 4 | 1035
Essentially, what I'm trying to do is built a Report/Alert that will pop when any user has a variance of say... Greater than 50k between _time (data is imported about every 5-10 minutes, so that's the _time variance).
What I've got so far is something like this:
sourcetype="Log" *| table _time, ID, subAmount1, subAmount2 | eval amount=(subAmount1+subAmount2 ) | delta amount p=1 as amountVar| eval amountVar=-(amountVar)
I can search for an individual ID, and see variances properly between _time, but I'm trying to make a more generic report to simply show highlights on a daily basis for ID's which have a variance greater than a threshold between a certain number of events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at the range function for streamstats?
| streamstats range(Amount) as diff by ID | table ID, diff | where diff>50000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd tried that, but it returns results similar to the following:
2015-12-30 11:07:38 | 1 | 50309
2015-12-30 10:47:09 | 2 | 50680
2015-12-30 10:47:07 | 2 | 50680
2015-12-30 10:57:23 | 1 | 51634
2015-12-30 10:47:07 | 3 | 52278
2015-12-30 11:17:53 | 4 | 60082
2015-12-30 11:12:45 | 4 | 60117
2015-12-30 11:12:45 | 4 | 60117
2015-12-30 11:07:39 | 4 | 60117
2015-12-30 11:07:38 | 4 | 60117
Where the range appears to be simply Max(Amount)-min(Amount) regardless of _time. The dataset changes dynamically during the day, so ideally I would have a query capable of expressing something similar to:
"For each ID, calculate the difference in Amount between each _time. If the difference between this _time and the previous _time is greater than X, Display a table for _time, ID, Amount."
The issue seems to be that it's difficult to make the query in such a manner than it looks at a delta by ID and _time, because delta is inherently calculating based on the previous event based on _time (regardless of ID, as I'm querying all IDs).
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
