This seems like such an elementary use of splunk, I can't believe I've spent days researching this to no avail. I've read the two other relevant questions, but their answers don't work.
I have a nice chart of message counts produced by:
index=... source=... earliest=... | timechart span=15m max(out_msgs)
But what I want is a rate per interval of 'out_msgs' (eg messages per 15min)
Alternatively, you could do this:
| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs
index=os sourcetype=interfaces host=prefix-*
| reverse
| streamstats range(TXbytes) as tx_delta global=f window=2 by host
| timechart span=1m max(tx_delta) as tx_delta by host
Based on https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html and tweaked to work for fleets of hosts.
Alternatively, you could do this:
| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs
This is great. I understand it. It's simple. It uses delta. Excellent.
HeHe, looks like I missed something in my delta
example, but I cannot figure it out what .... ? 🙂
Hi jgc94131,
take this run everywhere example and adapt it to your needs:
index=_internal
| bucket _time span=15min
| multikv fields series, kbps
| stats earliest(kbps) as previous, latest(kbps) as current by series
| eval rateofchange=round((current-previous)/previous,2)
| rename rateofchange as "% Rate of Change"
this will create a stats table of kbps per series and evaluates a % Rate of Change
per 15 minutes interval.
If you only want to see the delta
between the 15min interval you can also use something like this:
index=_internal | timechart span=15min avg(kbps) AS avgKBPS | delta avgKBPS
hope this helps to get you started ...
cheers, MuS
could you be a little more clear? you are plotting them for every 15 minutes already. What do we required here? Is rate is another param?
|bucket _time span=15m |chart max(rate) by out_msgs
|timechart span=15m max(rate) by out_msgs
Thanks,
L
out_msgs is a counter that increments on each output message. I want to measure its rate of change.