My Search has the below format data.
A single host has multiple parameters consists of LED 1..to.20 for each TV and there are 24 TV's , The LED power paramerter has value say Max(val) 34.0 which i...
See more...
My Search has the below format data.
A single host has multiple parameters consists of LED 1..to.20 for each TV and there are 24 TV's , The LED power paramerter has value say Max(val) 34.0 which is related to PA (power Amplitude) of Low/High, we only want search for PA = Low
Query :
source="c:\\program files (x86)\\xxxx" "PLogger" TV earliest=-2d@d latest=now PA = Low | stats max(VAL) by host, TV, LED, PA , _time | fields "host" "LED","PA", "TV", "max(VAL)" |
Result :
host LED PA TV Max (Val) _Time
03192610158 0 Low A1 48.863 2019-12-19 22:00:08.177
03192610158 0 Low A1 48.61 2019-12-20 22:00:08.140
031................. 1 Low A1 44.23 2019-12-19 22:00:08.177
031................. 1 Low A1 45.23 2019-12-20 22:00:08.177
|||||
|||||
031................. 19 Low A1 49.23 2019-12-19 22:00:08.177
031................. 19 Low A1 50.23 2019-12-20 22:00:08.177
|||||
|||||
031................. 1 Low A2 52.23 2019-12-19 22:00:08.177
031................. 1 Low A2 53.73 2019-12-20 22:00:08.177
AND Continues for the same host and for each TV and its LED's of 20.
Now I need to calculate the percentage difference of LED 1 2..till..19 for each TV ( A1 ---A24) and raise and Alert for any LED's if they drop by 5%.
This is the Splunk query I use:
source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PLogger" earliest=-7d@d latest=now TV PA = Low | stats max(VAL) as max_val by host, TILE, Laser, PA , _time | fields host, TV, LED, PA ,max_val, _time |streamstats current=f values(max_val) as prev_val by LED TV host| eval perc_diff=((max_val - prev_val)/((max_val + prev_val)/2)*100) | where perc_diff > 5
Output for one host :
Host :::::: TV ::::::: LED:::::::: PA ::::: Max_val ::::: _time :::: Perc_diff ::::: prev_val
DESKTOP-3S2CV0M :::: E1 ::::: 16 :::: Low :::: 30.354 ::::: 2020-05-06 10:00:46.221 :::: 5.136 ::::: 28.834
Cross Checking host data for the week:
11 May 2020 05:00:46,276 [4] INFO PLogger : TV = E1, Laser = 16, PA = Low, VAL = 31.512
10 May 2020 05:00:46,211 [11] INFO PLogger : TV = E1, LED = 16, PA = Low, VAL = 30.124
09 May 2020 05:00:46,227 [10] INFO PLogger : TV= E1, LED= 16, PA = Low, VAL = 30.695
08 May 2020 05:00:46,307 [11] INFO PLogger : TV = E1, LED = 16, PA = Low, VAL = 28.731
07 May 2020 05:00:46,666 [5] INFO PLogger - : TV = E1, LED = 16, PA = Low, VAL = 28.452
06 May 2020 05:00:46,221 [16] INFO PLogger -: TV = E1, LED= 16, PA = Low, VAL = **30.354**
05 May 2020 05:00:47,196 [16] INFO PLogger : TV= E1, LED = 16, PA = Low, VAL = **28.834**
The problem here is, the value is only getting calculated between last 2 days as you can see the highlighted data above.
I am stuck in how to get the alert correctly. How can I get the correct perc_diff alert for the week?