Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identify which power meter reading has stopped increasing for 5 days

splunk_rookie
Engager
‎03-30-2021 02:23 AM

Hi, I am trying to identify which power meter reading has stopped increasing for 5 days. 

As these power values are accumulated, I assumed that they are always in sequential order with respect to time. Therefore, I sorted the data by ASSET_NAME and _time to get the latest value. Then I took the difference between the latest value for every 5 days. So if the difference is 0, it means that there is no power increment.

Do you think that this logic flow is correct? Below is my code:

 

| bucket _time span=5d

| sort 0 ASSET_NAME _time

| stats latest(VALUE) as latestValue by ASSET_NAME _time

| delta latestValue as difference

| search difference = 0

 

Also, let's say the power values are not in sequential order due to some issue, how can I accurately identify the  power meter that has stopped increasing?

Please help. Thank you! 🙂

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 03:10 AM

Rather than latest, how about using max()?

0 Karma
Reply

splunk_rookie
Engager
‎03-31-2021 08:27 AM

I get the same result as using latest ()

Anyway, I came up with another solution. First I sorted by ASSET_NAME and _time, then I used delta to find the power difference between each consecutive events. Next i used delta again to find the duration between the two events. Lastly I searched for power difference = 0 and duration > 432000 sec (5days). 

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...