Splunk Search

Need assistance to compare the dynamic fields

BalajiRaju
Loves-to-Learn Everything

my query is we have used timechart count by clause in the splunk query. we need to compare the dynamic field values.

Query :-

index=sample sample="value1" | timechart count by field1

It returns some results like 

time                                               output1 output2 

2024-11-13 04:00:00                8              30

2024-11-13 04:01:00                8              30

 

My question here is we need to compare the output1 and output2 like if the o/p1 more than 30% of o/p2 in 10 mins of interval.

 

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Assuming the values of the groupby field, namely field1, is stable ("output1", "output2"), the solution depends on how granular you want the timechart to be.  If timechart itself is 10min, the simplest solution would be

index=sample sample="value1"
| timechart span=10m count by field1
| where output1 > 0.3 * output2

Else you need to perform stats twice as @gcusello suggests, but change the where command to fit your requirement.  Consider a case where your timechart is sparser than 10m, say 1h.  You can do

index=sample sample="value1"
| timechart span=10m count by field1
| where output1 > 0.3 * output2​
| timechart span=1h sum(count)

To have a timechart more granular than 10min, you'll have to do some crazy math but it's also doable.

0 Karma

BalajiRaju
Loves-to-Learn Everything

The output 1 and 2 are the dynamic values which we get the values from the field "Field1".  I tried with your two queries but no luck. if i removed the condition(where) i can get the results. Seems like there is an issue with the condition (output1 and output2)

0 Karma

yuanliu
SplunkTrust
SplunkTrust

"No luck", "Does not work" are useless words in this forum.  What is the input?  What is the output?  How does the output differ from your expectations?  Are you sure your data contains time periods where the condition is satisfied?  Unless you can illustrate these data points, volunteers here cannot help you.

Here is an emulation for the first search.  As you can see, remaining results after "where" all have output1 > 30% of output2

 

index = _audit action IN (artifact_deleted, quota)
| rename action as field1
| eval field1 = if(field1 == "quota", "output1", "output2")
``` the above emulates
index=sample sample="value1"
```
| timechart span=10m count by field1
| where output1 > 0.3 * output2

 

My output is

_timeoutput1output2
2024-12-01 21:00:0060
2024-12-01 21:20:0044
2024-12-01 22:00:0022
2024-12-01 23:30:001111
2024-12-01 23:40:0024
2024-12-02 00:00:00108
2024-12-02 01:00:0068
2024-12-02 03:00:001131
2024-12-02 03:10:0056
2024-12-02 03:20:0038
2024-12-02 03:30:0037
2024-12-02 03:40:0054
2024-12-02 03:50:00813
2024-12-02 04:00:00511
2024-12-02 04:10:001412
2024-12-02 04:20:001214
2024-12-02 04:30:00613
2024-12-02 04:50:0040
2024-12-02 07:10:0022
2024-12-02 12:00:0060

Without "where", there are 150 time intervals.

Play with the emulation, modify it to see how timechart, timebucket, and filter conditions work together with different datasets.  Then, analyze your own dataset.  For example, if your search doesn't return any result when "where" applies, post output when "where" is removed. (You can anonymize actual values with "output1" "output2" like I do in the emulation but data accurate to real data.)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BalajiRaju 

try using stats, but you have tyo span the timestamps, e.g. every hour:

index=sample sample="value1" 
| bin span=1h -time
| stats count BY _time field1
| where field1>30
| timechart values(count) AS count BY field1

Ciao.

Giuseppe

0 Karma

BalajiRaju
Loves-to-Learn Everything

Thanks for your reply.

I couldnt get any result on this query. if i removed the where condition i get the result

i ran the query with last 4hrs

like

time                                     o/p1 o/p2

2024-11-09 01:02:00  1         1

2024-11-09 02:02:00   1         1

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BalajiRaju ,

probably the condition I supposed isn't correct, correct it for your data, e.g. as @yuanliu hinted, but the approach is correct.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...