Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

refer to first bucket values to compute more data

theeven
Explorer
‎01-30-2014 11:22 AM

Hi Folks,
Here's what I have,

index=blah | bucket span=1d _time | chart count(id) over _time by src

Chart:

_time src1   src2
day1  100    200
day2  110    180
day3  105    100
day4  90     210

Now heres what I am looking for, given a time window produce & variation from start of time period per source. Start of the time period is considered as baseline (0%). I am looking for a way to refer to first bucket value to compute this % values. End result should look like something below.

Chart:

_time src1   src1%   src2   src2%
day1  100    0%      200    0%
day2  110    10%     180    -10%
day3  105    5%      100    0%
day4  90     -10%    210    5%

Is there a way to use _time as key? If yes how?

Tags (4)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-30-2014 12:34 PM

I've re-created your scenario after the chart like this:

| gentimes start=-1 increment=2h | streamstats count as day | fields day | eval value=(random()%200) | appendpipe [stats count as day | eval day=0 | eval value=100] | sort + day

Running that produces a table similar to your first result. Using that, I've built a table similar to your desired second result like this:

... | eventstats first(value) as baseline | eval diff=(value-baseline)/baseline | fieldformat diff = round(diff*100,2)."%" | table day value diff

The end result looks something like this:

day value   diff
 0  100       0.00%
 1   70     -30.00%
 2   47     -53.00%
 3  156      56.00%
 4  181      81.00%
 5  130      30.00%
 6  155      55.00%
 7  192      92.00%
 8  137      37.00%
 9  110      10.00%
10    7     -93.00%
11  100       0.00%
12  133      33.00%
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2014 05:58 AM

You can run a search pipeline for multiple fields using the foreach command: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/foreach

0 Karma
Reply

theeven
Explorer
‎01-31-2014 02:00 AM

I was able to produce A. as below,

index=blah | bucket span=1h _time | stats count(id) as cnt by _time, src | table _time, src, cnt | xyseries _time src cnt

but having difficulties in creating diff per src. How can I create multiple fields at once?

0 Karma
Reply

theeven
Explorer
‎01-31-2014 02:00 AM

Martin, thanks for replying. I see your point. Looks like a great approach for single series of data. I am having difficulties applying same on multiple time series data.

As you can see in my above example I have matrix of data for each "src". Hence I am using bucket/span along with chart to produce 1st table.

In order to use your approach,
A. I need to bring data in tabular without using chart and "over" feature.
B. Generate diff per src as final solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...