Splunk Search

Plot rate of change of count

jpillai
Path Finder

Hi all,

 

Im analysing event counts for a specific search criteria and I want to know how the count of values changed over time.  Below search is not good enough to see whats going on as many usernames have huge number of events and some with small numbers are barely noticeable (Im interested in rate of change and not count itself)

```

index=test_index "search string" | timechart span=10m count(field1) by username

```

So I want to see a rate of change of the count rather than simple count, by username field. How can we achieve this?

Labels (2)
0 Karma

Richfez
SplunkTrust
SplunkTrust

There's a few ways to go about this and none of them are really easy.  There's a specific command 'delta' but it only works for one field, so we'll have to go a bit off road.

I just used my firewall data "by transport" instead of "by user" (== tcp, udp, etc), but I'm sure you can adapt it to yours (only lines 1 and 2 need changing)

index=fw 
| timechart span=10m count by transport
| streamstats window=2 first(*) as first_* last(*) as last_* 
| foreach *_* 
    [eval delta_<<MATCHSEG2>> = first_<<MATCHSEG2>> - last_<<MATCHSEG2>> ] 
| fields delta*

 So what that does:

Line 1 and 2 are more or less like you have them.  Start by running just these two lines and adapting until you get your timechart data coming out OK.

In line 3 we use streamstats to build groups of two of those events, and though it looks messy with the wildcards and underscores, it'll build new fields like first_tcp, last_tcp and so on.

Line 4 is foreach and says for every field with a _ in the middle, like first_tcp, make a new field delta_tcp which is first_tcp - last_tcp.

The last line just trims out all fields except our delta_* fields, because that's the only one we want.

Try those - get the first two working, then add one line at a time and watch what each one adds/does.

 

Happy Splunking!

-Rich

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...