Splunk Search

plot rate of change

jgc94131
Explorer

This seems like such an elementary use of splunk, I can't believe I've spent days researching this to no avail. I've read the two other relevant questions, but their answers don't work.

I have a nice chart of message counts produced by:

index=... source=... earliest=... | timechart span=15m max(out_msgs)

But what I want is a rate per interval of 'out_msgs' (eg messages per 15min)

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Alternatively, you could do this:

| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs

View solution in original post

jdsumsion
Engager


index=os sourcetype=interfaces host=prefix-*
| reverse
| streamstats range(TXbytes) as tx_delta global=f window=2 by host
| timechart span=1m max(tx_delta) as tx_delta by host

Based on https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html and tweaked to work for fleets of hosts.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Alternatively, you could do this:

| timechart span=15m max(out_msgs) as out_msgs | delta out_msgs as delta | fields - out_msgs

jgc94131
Explorer

This is great. I understand it. It's simple. It uses delta. Excellent.

0 Karma

MuS
SplunkTrust
SplunkTrust

HeHe, looks like I missed something in my delta example, but I cannot figure it out what .... ? 🙂

MuS
SplunkTrust
SplunkTrust

Hi jgc94131,

take this run everywhere example and adapt it to your needs:

index=_internal 
| bucket _time span=15min
| multikv fields series, kbps  
| stats earliest(kbps) as previous, latest(kbps) as current by series
| eval rateofchange=round((current-previous)/previous,2) 
| rename rateofchange as "% Rate of Change"

this will create a stats table of kbps per series and evaluates a % Rate of Change per 15 minutes interval.
If you only want to see the delta between the 15min interval you can also use something like this:

index=_internal | timechart span=15min avg(kbps) AS avgKBPS | delta avgKBPS

hope this helps to get you started ...

cheers, MuS

linu1988
Champion

could you be a little more clear? you are plotting them for every 15 minutes already. What do we required here? Is rate is another param?

|bucket _time span=15m |chart max(rate) by out_msgs

|timechart span=15m max(rate) by out_msgs

Thanks,
L

0 Karma

jgc94131
Explorer

out_msgs is a counter that increments on each output message. I want to measure its rate of change.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...