Splunk Search

Compare two counter values in time

jcl_tw0
New Member

Hi,

I want to write a query to compare performance counter's values over 20 min span where the counter values change more than 1000.

Your help is appreciated!

Tags (2)
0 Karma

jcl_tw0
New Member

I ran the query but the CounterValue, min_cv and max_cv values are the same so the diff between min_cv and max_cv is 0

0 Karma

HiroshiSatoh
Champion

I have combine data from 20 minutes before the most recent data.
But is long ...

sourcetype=counter|eval key=_time.counter|rename value as base_value|table key,_time,counter,base_value|join key[search sourcetype=counter|eval key=round(relative_time(_time,"-20m@m")).counter|rename _time as ago_time,value as ago_value|table key,ago_time,counter,ago_value]|eval period=strftime(_time,"%Y/%m/%d %H:%M-").strftime(ago_time,"%H:%M")|eval difference=abs(base_value-ago_value)|table period,counter,difference|where difference<1000

(result)
alt text

dmlee
Communicator

I think you can try below command :
sourcetype=counter | bucket _time span=20m | stats min(counter_value) as min_cv max(counter_value) as max_cv by counter, _time | eval diff = max_cv- min_cv | search diff<1000

by the way, if your time span is 20 minutes , the answer should be counter 1 between 3:00:00pm to 3:19:59pm ( not 3:20:00pm) value=100 , 3:20:00 is the beginning of next 20 minutes , right ?

0 Karma

jcl_tw0
New Member

For example
- 9/10/13 3:00 PM - counter 1, counter value 13240
- 9/10/13 3:00 PM - counter 2, counter value 12700
- 9/10/13 3:10 PM - counter 1, counter value 13340
- 9/10/13 3:10 PM - counter 2, counter value 13800
- 9/10/13 3:20 PM - counter 1, counter value 13430
- 9/10/13 3:20 PM - counter 2, counter value 14850
- 9/10/13 3:30 PM - counter 1, counter value 15200
- 9/10/13 3:30 PM - counter 2, counter value 16200

In the span of 20 minutes between 3:00 PM to 3:30 PM which counter has counter value changes less than 1000. Answer is counter 1 bet 3:00 PM to 3:20 PM, value 190

0 Karma

rturk
Builder

Can you provide some sample events or context?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...