Splunk Search

refer to first bucket values to compute more data

theeven
Explorer

Hi Folks,
Here's what I have,

index=blah | bucket span=1d _time | chart count(id) over _time by src

Chart:

_time src1   src2
day1  100    200
day2  110    180
day3  105    100
day4  90     210

Now heres what I am looking for, given a time window produce & variation from start of time period per source. Start of the time period is considered as baseline (0%). I am looking for a way to refer to first bucket value to compute this % values. End result should look like something below.

Chart:

_time src1   src1%   src2   src2%
day1  100    0%      200    0%
day2  110    10%     180    -10%
day3  105    5%      100    0%
day4  90     -10%    210    5%

Is there a way to use _time as key? If yes how?

Tags (4)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I've re-created your scenario after the chart like this:

| gentimes start=-1 increment=2h | streamstats count as day | fields day | eval value=(random()%200) | appendpipe [stats count as day | eval day=0 | eval value=100] | sort + day

Running that produces a table similar to your first result. Using that, I've built a table similar to your desired second result like this:

... | eventstats first(value) as baseline | eval diff=(value-baseline)/baseline | fieldformat diff = round(diff*100,2)."%" | table day value diff

The end result looks something like this:

day value   diff
 0  100       0.00%
 1   70     -30.00%
 2   47     -53.00%
 3  156      56.00%
 4  181      81.00%
 5  130      30.00%
 6  155      55.00%
 7  192      92.00%
 8  137      37.00%
 9  110      10.00%
10    7     -93.00%
11  100       0.00%
12  133      33.00% 
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can run a search pipeline for multiple fields using the foreach command: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/foreach

0 Karma

theeven
Explorer

I was able to produce A. as below,

index=blah | bucket span=1h _time | stats count(id) as cnt by _time, src | table _time, src, cnt | xyseries _time src cnt

but having difficulties in creating diff per src. How can I create multiple fields at once?

0 Karma

theeven
Explorer

Martin, thanks for replying. I see your point. Looks like a great approach for single series of data. I am having difficulties applying same on multiple time series data.

As you can see in my above example I have matrix of data for each "src". Hence I am using bucket/span along with chart to produce 1st table.

In order to use your approach,
A. I need to bring data in tabular without using chart and "over" feature.
B. Generate diff per src as final solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...