Re: Modify values for timechat based on aggregatio...

Oldreader · ‎07-31-2018

There is metric which accumulative counter of some event. Timechart of this metrics look like monotonic function. I cant change metrics therefor i need to calculate derivative function - increase/decrease of counter per period of time. Example query:

index=some_index host="*" |  timechart span=15s max("some_metric") by host | addtotals fieldname=cur | appendcols [search index=some_index host="*" | eval _time=_time+15 | timechart span=15s max("some_metric") by host | addtotals fieldname=prev ] | eval diff=cur-prev | timechart span=1m  max(diff) as "Aggregation"

index=some_index host="*" | timechart span=15s max("some_metric") by host | addtotals fieldname=cur - calculates total of all hosts
appendcols [search index=some_index host="*" | eval _time=_time+15 | timechart span=15s max("some_metric") by host | addtotals fieldname=prev ]- calculates total of all hosts with timeshift
Now I want to calculate subtraction. All goes fine with total, but how to calculate subtraction to each host?

somesoni2 · ‎07-31-2018

Try like this

index=some_index host="*" | timechart span=15s max("some_metric") as metric
| delta metric as diff
| timechart span=1m max(diff) as Aggregation

Modify values for timechat based on aggregation function

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Join the Conversation

Modify values for timechat based on aggregation function

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...