Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need assistance to compare the dynamic fields

BalajiRaju
Observer
‎11-19-2024 01:34 AM

my query is we have used timechart count by clause in the splunk query. we need to compare the dynamic field values.

Query :-

index=sample sample="value1" | timechart count by field1

It returns some results like 

time                                               output1 output2 

2024-11-13 04:00:00                8              30

2024-11-13 04:01:00                8              30

 

My question here is we need to compare the output1 and output2 like if the o/p1 more than 30% of o/p2 in 10 mins of interval.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-19-2024 01:49 PM

Assuming the values of the groupby field, namely field1, is stable ("output1", "output2"), the solution depends on how granular you want the timechart to be.  If timechart itself is 10min, the simplest solution would be

index=sample sample="value1"
| timechart span=10m count by field1
| where output1 > 0.3 * output2

Else you need to perform stats twice as @gcusello suggests, but change the where command to fit your requirement.  Consider a case where your timechart is sparser than 10m, say 1h.  You can do

index=sample sample="value1"
| timechart span=10m count by field1
| where output1 > 0.3 * output2​
| timechart span=1h sum(count)

To have a timechart more granular than 10min, you'll have to do some crazy math but it's also doable.

0 Karma
Reply

BalajiRaju
Observer
4 weeks ago

The output 1 and 2 are the dynamic values which we get the values from the field "Field1".  I tried with your two queries but no luck. if i removed the condition(where) i can get the results. Seems like there is an issue with the condition (output1 and output2)

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
4 weeks ago

"No luck", "Does not work" are useless words in this forum.  What is the input?  What is the output?  How does the output differ from your expectations?  Are you sure your data contains time periods where the condition is satisfied?  Unless you can illustrate these data points, volunteers here cannot help you.

Here is an emulation for the first search.  As you can see, remaining results after "where" all have output1 > 30% of output2

 

index = _audit action IN (artifact_deleted, quota)
| rename action as field1
| eval field1 = if(field1 == "quota", "output1", "output2")
``` the above emulates
index=sample sample="value1"
```
| timechart span=10m count by field1
| where output1 > 0.3 * output2

 

My output is

_timeoutput1output2
2024-12-01 21:00:0060
2024-12-01 21:20:0044
2024-12-01 22:00:0022
2024-12-01 23:30:001111
2024-12-01 23:40:0024
2024-12-02 00:00:00108
2024-12-02 01:00:0068
2024-12-02 03:00:001131
2024-12-02 03:10:0056
2024-12-02 03:20:0038
2024-12-02 03:30:0037
2024-12-02 03:40:0054
2024-12-02 03:50:00813
2024-12-02 04:00:00511
2024-12-02 04:10:001412
2024-12-02 04:20:001214
2024-12-02 04:30:00613
2024-12-02 04:50:0040
2024-12-02 07:10:0022
2024-12-02 12:00:0060

Without "where", there are 150 time intervals.

Play with the emulation, modify it to see how timechart, timebucket, and filter conditions work together with different datasets.  Then, analyze your own dataset.  For example, if your search doesn't return any result when "where" applies, post output when "where" is removed. (You can anonymize actual values with "output1" "output2" like I do in the emulation but data accurate to real data.)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-19-2024 01:55 AM

Hi @BalajiRaju 

try using stats, but you have tyo span the timestamps, e.g. every hour:

index=sample sample="value1" 
| bin span=1h -time
| stats count BY _time field1
| where field1>30
| timechart values(count) AS count BY field1

Ciao.

Giuseppe

0 Karma
Reply

BalajiRaju
Observer
‎11-19-2024 02:27 AM

Thanks for your reply.

I couldnt get any result on this query. if i removed the where condition i get the result

i ran the query with last 4hrs

like

time                                     o/p1 o/p2

2024-11-09 01:02:00  1         1

2024-11-09 02:02:00   1         1

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-19-2024 11:02 PM

Hi @BalajiRaju ,

probably the condition I supposed isn't correct, correct it for your data, e.g. as @yuanliu hinted, but the approach is correct.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...