Solved: Re: % difference in errors over the last 5 minutes

samneo · ‎09-22-2021

Im looking to get a query that will tell me the difference in an error rate increase i.e 5 minutes ag it was 120 errors but now is above 10%. My current search is as per the below

index=aws_kubernetes app=nio tag=error env=prd* | timechart span=1m count by app limit=0

this will show me the standard error rate over time so need to know when a percentage increase happens

samneo · ‎09-28-2021

i ended up using the below with anomaly detection which got me as close in the timeframe i had

index=kubernetes app=nio env=prd tag=error
| timechart span=1m count by app limit=0
| eventstats median("nio") as median
| eval absDev=(abs('nio'-median))
| eventstats median(absDev) as medianAbsDev
| eval lowerBound=(median-medianAbsDev*exact(4)), upperBound=(median+medianAbsDev*exact(3))
| eval isOutlier=if('nio' < lowerBound OR 'nio' > upperBound, 1, 0)
| fields _time, "nio", lowerBound, upperBound, isOutlier, *

View solution in original post

samneo · ‎09-28-2021

i ended up using the below with anomaly detection which got me as close in the timeframe i had

index=kubernetes app=nio env=prd tag=error
| timechart span=1m count by app limit=0
| eventstats median("nio") as median
| eval absDev=(abs('nio'-median))
| eventstats median(absDev) as medianAbsDev
| eval lowerBound=(median-medianAbsDev*exact(4)), upperBound=(median+medianAbsDev*exact(3))
| eval isOutlier=if('nio' < lowerBound OR 'nio' > upperBound, 1, 0)
| fields _time, "nio", lowerBound, upperBound, isOutlier, *

samneo · ‎09-22-2021

unfortunately this doesnt work, the line

| timechart span=1m sum(count) as count by app limit=0

brings back no results as the timechart has no count and only shows the field nio which has the count in. I used nio in that field instead but still doesnt work as per your one above

ITWhisperer · ‎09-22-2021

You don't need that line either - use your own timechart line - The whole example is a runanywhere example to show it working - just use the ideas from the bottom part

ITWhisperer · ‎09-22-2021

| gentimes start=-1 increment=1m
| rename starttime as _time
| eval app=split("ABCD","")
| mvexpand app
| eval count=random()%100




| timechart span=1m sum(count) as count by app limit=0


| untable _time app count
| sort 0 app _time
| streamstats window=1 current=f values(count) as previous by app
| eval increase=if(count>previous,100*count/previous,null())
| xyseries _time app increase

samneo · ‎09-22-2021

Hi @ITWhisperer

How do i incorporate that with my index as when i add it on it says

Error in 'gentimes' command: This command must be the first command of a search.

ITWhisperer · ‎09-22-2021

The part before the blank lines just sets up dummy data - you have real data to work with so you don't need this part

samneo · ‎09-28-2021

unfortunately this didnt work for my data

% difference in errors over the last 5 minutes

timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?