Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period)

sohaibomar
Explorer
‎09-16-2017 02:53 AM

I have event data in below format:

 Sep 15 2017 07:06:07    app=yahoo    dataconsumed=50
 Sep 15 2017 08:16:07    app=skype    dataconsumed=150
 Sep 14 2017 10:26:07    app=facebook   dataconsumed=10
 Sep 14 2017 12:26:07    app=facebook    dataconsumed=5
 Sep 13 2017 7:26:07    app=yahoo    dataconsumed=10
 Sep 13 2017 9:26:07    app=skype    dataconsumed=50
 Sep 12 2017 3:26:07    app=facebook   dataconsumed=80
 Sep 12 2017 1:26:07    app=facebook    dataconsumed=0

For example: for above dataset:

...|if( ((total_dataconsumed by app in last half of time) - (total_dataconsumed by app in fprevious half of time) ) >0, "gainer", "loser")

for above sample dataset result would be:

app gainer_or_loser dataconsumed
----------------------------------------------------
yahoo gainer 40
skype gainer 100
facebook loser -65
0 Karma
Reply

sohaibomar
Explorer
‎09-16-2017 07:04 AM

The data is in simple txt file. Splunk is easily able to extract time and fields out of it

0 Karma
Reply

Sukisen1981
Champion
‎09-16-2017 07:25 AM

hi please my answer below in details, i posted it as a separate entry

0 Karma
Reply

Sukisen1981
Champion
‎09-16-2017 07:01 AM

I tried this with your events in a notepad as follows:
Sep 15 2017 07:06:07 app=yahoo dataconsumed=50
Sep 15 2017 08:16:07 app=skype dataconsumed=150
Sep 14 2017 10:26:07 app=facebook dataconsumed=10
Sep 14 2017 12:26:07 app=facebook dataconsumed=5
Sep 13 2017 7:26:07 app=yahoo dataconsumed=10
Sep 13 2017 9:26:07 app=skype dataconsumed=50
Sep 12 2017 3:26:07 app=facebook dataconsumed=80

Sep 12 2017 1:26:07 app=facebook dataconsumed=0

| eval t=strftime(_time,"%Y-%m-%d")
| eval t1=strptime(t,"%Y-%m-%d")
| eval d=strftime(relative_time(now(),"-2d"),"%Y-%m-%d")
| eventstats max(t1) as f by app
| eval d1=t1-f
| eval c=if(f=t1,"c",if(d1=d,"p","nc"))
| chart sum(dataconsumed) by app,c
| eval dataconsumed=c-nc
|eval gainer_or_looser=if(dataconsumed >0,"gainer",if(dataconsumed=0,"even","looser"))
| fields app,gainer_or_looser,dataconsumed
| sort - app

0 Karma
Reply

Sukisen1981
Champion
‎09-16-2017 05:27 AM

hmm are these columns in a CSV file or what is the format of the data source? The result needs a bit tweaking based on your data source

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...