- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using variable "total_dataconsumed" how do I f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period)
I have event data in below format:
Sep 15 2017 07:06:07 app=yahoo dataconsumed=50
Sep 15 2017 08:16:07 app=skype dataconsumed=150
Sep 14 2017 10:26:07 app=facebook dataconsumed=10
Sep 14 2017 12:26:07 app=facebook dataconsumed=5
Sep 13 2017 7:26:07 app=yahoo dataconsumed=10
Sep 13 2017 9:26:07 app=skype dataconsumed=50
Sep 12 2017 3:26:07 app=facebook dataconsumed=80
Sep 12 2017 1:26:07 app=facebook dataconsumed=0
For example: for above dataset:
...|if( ((total_dataconsumed by app in last half of time) - (total_dataconsumed by app in fprevious half of time) ) >0, "gainer", "loser")
for above sample dataset result would be:
app gainer_or_loser dataconsumed
----------------------------------------------------
yahoo gainer 40
skype gainer 100
facebook loser -65
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data is in simple txt file. Splunk is easily able to extract time and fields out of it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi please my answer below in details, i posted it as a separate entry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this with your events in a notepad as follows:
Sep 15 2017 07:06:07 app=yahoo dataconsumed=50
Sep 15 2017 08:16:07 app=skype dataconsumed=150
Sep 14 2017 10:26:07 app=facebook dataconsumed=10
Sep 14 2017 12:26:07 app=facebook dataconsumed=5
Sep 13 2017 7:26:07 app=yahoo dataconsumed=10
Sep 13 2017 9:26:07 app=skype dataconsumed=50
Sep 12 2017 3:26:07 app=facebook dataconsumed=80
Sep 12 2017 1:26:07 app=facebook dataconsumed=0
| eval t=strftime(_time,"%Y-%m-%d")
| eval t1=strptime(t,"%Y-%m-%d")
| eval d=strftime(relative_time(now(),"-2d"),"%Y-%m-%d")
| eventstats max(t1) as f by app
| eval d1=t1-f
| eval c=if(f=t1,"c",if(d1=d,"p","nc"))
| chart sum(dataconsumed) by app,c
| eval dataconsumed=c-nc
|eval gainer_or_looser=if(dataconsumed >0,"gainer",if(dataconsumed=0,"even","looser"))
| fields app,gainer_or_looser,dataconsumed
| sort - app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm are these columns in a CSV file or what is the format of the data source? The result needs a bit tweaking based on your data source
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
