Splunk Search

plot rate of change

jgc94131
Explorer

This seems like such an elementary use of splunk, I can't believe I've spent days researching this to no avail. I've read the two other relevant questions, but their answers don't work.

I have a nice chart of message counts produced by:

index=... source=... earliest=... | timechart span=15m max(out_msgs)

But what I want is a rate per interval of 'out_msgs' (eg messages per 15min)

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Alternatively, you could do this:

| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs

View solution in original post

jdsumsion
Engager


index=os sourcetype=interfaces host=prefix-*
| reverse
| streamstats range(TXbytes) as tx_delta global=f window=2 by host
| timechart span=1m max(tx_delta) as tx_delta by host

Based on https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html and tweaked to work for fleets of hosts.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Alternatively, you could do this:

| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs

jgc94131
Explorer

This is great. I understand it. It's simple. It uses delta. Excellent.

0 Karma

MuS
Legend

HeHe, looks like I missed something in my delta example, but I cannot figure it out what .... ? 🙂

MuS
Legend

Hi jgc94131,

take this run everywhere example and adapt it to your needs:

index=_internal 
| bucket _time span=15min
| multikv fields series, kbps  
| stats earliest(kbps) as previous, latest(kbps) as current by series
| eval rateofchange=round((current-previous)/previous,2) 
| rename rateofchange as "% Rate of Change"

this will create a stats table of kbps per series and evaluates a % Rate of Change per 15 minutes interval.
If you only want to see the delta between the 15min interval you can also use something like this:

index=_internal | timechart span=15min avg(kbps) AS avgKBPS | delta avgKBPS

hope this helps to get you started ...

cheers, MuS

linu1988
Champion

could you be a little more clear? you are plotting them for every 15 minutes already. What do we required here? Is rate is another param?

|bucket _time span=15m |chart max(rate) by out_msgs

|timechart span=15m max(rate) by out_msgs

Thanks,
L

0 Karma

jgc94131
Explorer

out_msgs is a counter that increments on each output message. I want to measure its rate of change.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...