Solved: How to create timechart for event spikes by compar...

ygzamx · ‎08-24-2022

Hi all!

I'm trying to create a Timechart showing only the graph bars where the number of events is 2X the number of events from the previous 10 minutes.

E.g. if I have 10,000 events at 10:10 AM to 10:20 AM

and 30,000 at 10:20 AM -10:30 AM

then 35,000 at 10:30 AM to 10:40 AM

I want the timechart to show only the bar for 10:20-10:30 period, which is where the surge happened.

Hope that makes sense, thanks in advance!

somesoni2 · ‎08-24-2022

Try something like this (runanywhere sample, adjust per your query)

index = _internal sourcetype=splunk_web_access 
| timechart span=10m count
|  delta count as countdiff 
|  eval surge=(countdiff)/if(count-countdiff=0,1,count-countdiff) 
|  where surge>2

View solution in original post

somesoni2 · ‎08-24-2022

Try something like this (runanywhere sample, adjust per your query)

index = _internal sourcetype=splunk_web_access 
| timechart span=10m count
|  delta count as countdiff 
|  eval surge=(countdiff)/if(count-countdiff=0,1,count-countdiff) 
|  where surge>2

ygzamx · ‎08-24-2022

Thank you! it works!

How to create timechart for event spikes by comparing to the previous 10 minute?

stats

timechart

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio