Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to identify the most volatile values in a field

luke222010
Engager
‎03-18-2020 03:39 AM

Hello Splunkers!

I have the following fields being populated by 1000s of values every 1 minute:

Name Cost

E.g.
Luke 1.25
Luke 1.22
Dave 2.45
Dave 2.57

Bearing in mind, there are over 1000 Cost values coming in for each Name each minute, I want to identify the biggest movers in terms of Cost over a 5 minute period thereby identifying the most volatile Names in a timechart.

Can anyone tell me how I would do this please?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-18-2020 07:31 AM

Like this:

... earliest=-5m latest=now | stats range(Cost) AS volatility BY Name
| sort 0 - volatility

Also maybe this:

... earliest=-24h latest=now | streamstats time_window=5m range(Cost) AS volatility BY Name
| sort 0 - volatility
0 Karma
Reply

to4kawa
Ultra Champion
‎03-18-2020 05:48 AM

1000s of values?
I don't understand 1.25 is 1000s of values.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...