- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using variable "total_dataconsumed" how do I find ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period)
I have event data in below format:
Sep 15 2017 07:06:07 app=yahoo dataconsumed=50
Sep 15 2017 08:16:07 app=skype dataconsumed=150
Sep 14 2017 10:26:07 app=facebook dataconsumed=10
Sep 14 2017 12:26:07 app=facebook dataconsumed=5
Sep 13 2017 7:26:07 app=yahoo dataconsumed=10
Sep 13 2017 9:26:07 app=skype dataconsumed=50
Sep 12 2017 3:26:07 app=facebook dataconsumed=80
Sep 12 2017 1:26:07 app=facebook dataconsumed=0
For example: for above dataset:
...|if( ((total_dataconsumed by app in last half of time) - (total_dataconsumed by app in fprevious half of time) ) >0, "gainer", "loser")
for above sample dataset result would be:
app gainer_or_loser dataconsumed
----------------------------------------------------
yahoo gainer 40
skype gainer 100
facebook loser -65
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data is in simple txt file. Splunk is easily able to extract time and fields out of it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi please my answer below in details, i posted it as a separate entry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this with your events in a notepad as follows:
Sep 15 2017 07:06:07 app=yahoo dataconsumed=50
Sep 15 2017 08:16:07 app=skype dataconsumed=150
Sep 14 2017 10:26:07 app=facebook dataconsumed=10
Sep 14 2017 12:26:07 app=facebook dataconsumed=5
Sep 13 2017 7:26:07 app=yahoo dataconsumed=10
Sep 13 2017 9:26:07 app=skype dataconsumed=50
Sep 12 2017 3:26:07 app=facebook dataconsumed=80
Sep 12 2017 1:26:07 app=facebook dataconsumed=0
| eval t=strftime(_time,"%Y-%m-%d")
| eval t1=strptime(t,"%Y-%m-%d")
| eval d=strftime(relative_time(now(),"-2d"),"%Y-%m-%d")
| eventstats max(t1) as f by app
| eval d1=t1-f
| eval c=if(f=t1,"c",if(d1=d,"p","nc"))
| chart sum(dataconsumed) by app,c
| eval dataconsumed=c-nc
|eval gainer_or_looser=if(dataconsumed >0,"gainer",if(dataconsumed=0,"even","looser"))
| fields app,gainer_or_looser,dataconsumed
| sort - app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm are these columns in a CSV file or what is the format of the data source? The result needs a bit tweaking based on your data source
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
