Solved: Re: Transaction by time range and calculate

lain179 · ‎02-27-2013

I have a log that tracks the number of documents. I would like to know how to find and table/graph the number of NEW documents for every 15 minutes.

The log looks like this: In this example, I need to find 1667 - 53 = 1614 new docs for the first 15 minutes.

2013-02-27 09:43:01 Found: 68 Sent: 53 ( New: 53 )
2013-02-27 09:45:23 Found: 307 Sent: 290 ( New: 290 )
2013-02-27 09:48:50 Found: 493 Sent: 476 ( New: 476 )
2013-02-27 09:50:37 Found: 820 Sent: 803 ( New: 803 )
2013-02-27 09:52:29 Found: 1025 Sent: 1008 ( New: 1008 )
2013-02-27 09:55:01 Found: 1294 Sent: 1277 ( New: 1277 )
2013-02-27 09:57:03 Found: 1445 Sent: 1428 ( New: 1428 )
2013-02-27 09:58:45 Found: 1682 Sent: 1667 ( New: 1667 )
2013-02-27 09:59:07 Found: 1847 Sent: 1830 ( New: 1830 )

cramasta · ‎02-27-2013

you could do this

first extract the document count as a field called doccount (this would be the value after New: )

search would be

...|bucket _time span=15min | stats min(doccount) as mindoc max(doccount) as maxdoc by _time | eval newdocuments=maxdoc-mindoc | table _time newdocuments

View solution in original post

cramasta · ‎02-27-2013

you could do this

first extract the document count as a field called doccount (this would be the value after New: )

search would be

...|bucket _time span=15min | stats min(doccount) as mindoc max(doccount) as maxdoc by _time | eval newdocuments=maxdoc-mindoc | table _time newdocuments

lain179 · ‎02-27-2013

Exactly what I needed. Thank you so much!

Transaction by time range and calculate

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms