Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create timechart for event spikes by comparing to the previous 10 minute?

ygzamx
Engager
‎08-24-2022 08:37 AM

Hi all!

I'm trying to create a Timechart showing only the graph bars where the number of events is 2X the number of events from the previous 10 minutes. 

 

E.g. if I have 10,000 events at 10:10 AM to 10:20 AM

and 30,000 at 10:20 AM -10:30 AM

then 35,000 at 10:30 AM to 10:40 AM

 

I want the timechart to show only the bar for 10:20-10:30 period, which is where the surge happened.

 

Hope that makes sense, thanks in advance!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2022 09:16 AM

Try something like this (runanywhere sample, adjust per your query)

index = _internal sourcetype=splunk_web_access 
| timechart span=10m count
|  delta count as countdiff 
|  eval surge=(countdiff)/if(count-countdiff=0,1,count-countdiff) 
|  where surge>2

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2022 09:16 AM

Try something like this (runanywhere sample, adjust per your query)

index = _internal sourcetype=splunk_web_access 
| timechart span=10m count
|  delta count as countdiff 
|  eval surge=(countdiff)/if(count-countdiff=0,1,count-countdiff) 
|  where surge>2

 

0 Karma
Reply
Solved! Jump to solution

ygzamx
Engager
‎08-24-2022 10:00 AM

Thank you! it works!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...