Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need assistance to compare the dynamic fields

BalajiRaju
Loves-to-Learn Everything
‎11-19-2024 01:34 AM

my query is we have used timechart count by clause in the splunk query. we need to compare the dynamic field values.

Query :-

index=sample sample="value1" | timechart count by field1

It returns some results like 

time                                               output1 output2 

2024-11-13 04:00:00                8              30

2024-11-13 04:01:00                8              30

 

My question here is we need to compare the output1 and output2 like if the o/p1 more than 30% of o/p2 in 10 mins of interval.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-19-2024 01:49 PM

Assuming the values of the groupby field, namely field1, is stable ("output1", "output2"), the solution depends on how granular you want the timechart to be.  If timechart itself is 10min, the simplest solution would be

index=sample sample="value1"
| timechart span=10m count by field1
| where output1 > 0.3 * output2

Else you need to perform stats twice as @gcusello suggests, but change the where command to fit your requirement.  Consider a case where your timechart is sparser than 10m, say 1h.  You can do

index=sample sample="value1"
| timechart span=10m count by field1
| where output1 > 0.3 * output2​
| timechart span=1h sum(count)

To have a timechart more granular than 10min, you'll have to do some crazy math but it's also doable.

0 Karma
Reply

BalajiRaju
Loves-to-Learn Everything
‎12-02-2024 03:01 AM

The output 1 and 2 are the dynamic values which we get the values from the field "Field1".  I tried with your two queries but no luck. if i removed the condition(where) i can get the results. Seems like there is an issue with the condition (output1 and output2)

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-02-2024 05:05 PM

"No luck", "Does not work" are useless words in this forum.  What is the input?  What is the output?  How does the output differ from your expectations?  Are you sure your data contains time periods where the condition is satisfied?  Unless you can illustrate these data points, volunteers here cannot help you.

Here is an emulation for the first search.  As you can see, remaining results after "where" all have output1 > 30% of output2

 

index = _audit action IN (artifact_deleted, quota)
| rename action as field1
| eval field1 = if(field1 == "quota", "output1", "output2")
``` the above emulates
index=sample sample="value1"
```
| timechart span=10m count by field1
| where output1 > 0.3 * output2

 

My output is

_timeoutput1output2
2024-12-01 21:00:0060
2024-12-01 21:20:0044
2024-12-01 22:00:0022
2024-12-01 23:30:001111
2024-12-01 23:40:0024
2024-12-02 00:00:00108
2024-12-02 01:00:0068
2024-12-02 03:00:001131
2024-12-02 03:10:0056
2024-12-02 03:20:0038
2024-12-02 03:30:0037
2024-12-02 03:40:0054
2024-12-02 03:50:00813
2024-12-02 04:00:00511
2024-12-02 04:10:001412
2024-12-02 04:20:001214
2024-12-02 04:30:00613
2024-12-02 04:50:0040
2024-12-02 07:10:0022
2024-12-02 12:00:0060

Without "where", there are 150 time intervals.

Play with the emulation, modify it to see how timechart, timebucket, and filter conditions work together with different datasets.  Then, analyze your own dataset.  For example, if your search doesn't return any result when "where" applies, post output when "where" is removed. (You can anonymize actual values with "output1" "output2" like I do in the emulation but data accurate to real data.)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-19-2024 01:55 AM

Hi @BalajiRaju 

try using stats, but you have tyo span the timestamps, e.g. every hour:

index=sample sample="value1" 
| bin span=1h -time
| stats count BY _time field1
| where field1>30
| timechart values(count) AS count BY field1

Ciao.

Giuseppe

0 Karma
Reply

BalajiRaju
Loves-to-Learn Everything
‎11-19-2024 02:27 AM

Thanks for your reply.

I couldnt get any result on this query. if i removed the where condition i get the result

i ran the query with last 4hrs

like

time                                     o/p1 o/p2

2024-11-09 01:02:00  1         1

2024-11-09 02:02:00   1         1

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-19-2024 11:02 PM

Hi @BalajiRaju ,

probably the condition I supposed isn't correct, correct it for your data, e.g. as @yuanliu hinted, but the approach is correct.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top