Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

plot rate of change

jgc94131
Explorer
‎06-19-2014 08:16 PM

This seems like such an elementary use of splunk, I can't believe I've spent days researching this to no avail. I've read the two other relevant questions, but their answers don't work.

I have a nice chart of message counts produced by:

index=... source=... earliest=... | timechart span=15m max(out_msgs)

But what I want is a rate per interval of 'out_msgs' (eg messages per 15min)

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-20-2014 12:42 AM

Alternatively, you could do this:

| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs

View solution in original post

Reply
Solved! Jump to solution

jdsumsion
Engager
‎02-07-2020 04:22 PM


index=os sourcetype=interfaces host=prefix-*
| reverse
| streamstats range(TXbytes) as tx_delta global=f window=2 by host
| timechart span=1m max(tx_delta) as tx_delta by host

Based on https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html and tweaked to work for fleets of hosts.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-20-2014 12:42 AM

Alternatively, you could do this:

| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs
Reply
Solved! Jump to solution

jgc94131
Explorer
‎06-20-2014 10:13 AM

This is great. I understand it. It's simple. It uses delta. Excellent.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-20-2014 12:51 AM

HeHe, looks like I missed something in my delta example, but I cannot figure it out what .... ? 🙂

Reply
Solved! Jump to solution

MuS
Legend
‎06-20-2014 12:28 AM

Hi jgc94131,

take this run everywhere example and adapt it to your needs:

index=_internal 
| bucket _time span=15min
| multikv fields series, kbps  
| stats earliest(kbps) as previous, latest(kbps) as current by series
| eval rateofchange=round((current-previous)/previous,2) 
| rename rateofchange as "% Rate of Change"

this will create a stats table of kbps per series and evaluates a % Rate of Change per 15 minutes interval.
If you only want to see the delta between the 15min interval you can also use something like this:

index=_internal | timechart span=15min avg(kbps) AS avgKBPS | delta avgKBPS

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

linu1988
Champion
‎06-19-2014 08:48 PM

could you be a little more clear? you are plotting them for every 15 minutes already. What do we required here? Is rate is another param?

|bucket _time span=15m |chart max(rate) by out_msgs

|timechart span=15m max(rate) by out_msgs

Thanks,
L

0 Karma
Reply
Solved! Jump to solution

jgc94131
Explorer
‎06-20-2014 10:08 AM

out_msgs is a counter that increments on each output message. I want to measure its rate of change.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...