Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Plot rate of change of count

jpillai
Path Finder
‎03-26-2024 10:12 AM

Hi all,

 

Im analysing event counts for a specific search criteria and I want to know how the count of values changed over time.  Below search is not good enough to see whats going on as many usernames have huge number of events and some with small numbers are barely noticeable (Im interested in rate of change and not count itself)

```

index=test_index "search string" | timechart span=10m count(field1) by username

```

So I want to see a rate of change of the count rather than simple count, by username field. How can we achieve this?

Labels (2)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎03-26-2024 12:39 PM

There's a few ways to go about this and none of them are really easy.  There's a specific command 'delta' but it only works for one field, so we'll have to go a bit off road.

I just used my firewall data "by transport" instead of "by user" (== tcp, udp, etc), but I'm sure you can adapt it to yours (only lines 1 and 2 need changing)

index=fw 
| timechart span=10m count by transport
| streamstats window=2 first(*) as first_* last(*) as last_* 
| foreach *_* 
    [eval delta_<<MATCHSEG2>> = first_<<MATCHSEG2>> - last_<<MATCHSEG2>> ] 
| fields delta*

 So what that does:

Line 1 and 2 are more or less like you have them.  Start by running just these two lines and adapting until you get your timechart data coming out OK.

In line 3 we use streamstats to build groups of two of those events, and though it looks messy with the wildcards and underscores, it'll build new fields like first_tcp, last_tcp and so on.

Line 4 is foreach and says for every field with a _ in the middle, like first_tcp, make a new field delta_tcp which is first_tcp - last_tcp.

The last line just trims out all fields except our delta_* fields, because that's the only one we want.

Try those - get the first two working, then add one line at a time and watch what each one adds/does.

 

Happy Splunking!

-Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...