- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to generate a search to report on gradual chan...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to generate a search to report on gradual changes in value over time?
Hi
I would like to display the time stamp of the events when there is gradual change in the value. Here is the sample of data.
Time Price
10:00 15
10:01 14
10:02 12
10:03 15
10:04 14
10:05 13
10:06 9
10:07 7
10:08 8
10:09 6
10:10 5
10:11 4
10:12 13
10:13 12
10:14 14
10:15 4
10:16 9
10:17 8
10:18 6
10:19 5
10:20 1
10:13 12
10:14 14
10:15 12
I would expect to see the output as "Decline" at "10:06 to 10:11" and "10:15 to 10:20" . Can it be Splunked?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will something like work for you?
your current search giving field Time Price
| streamstats current=f window=1 values(Price) as prev_price
| eval Result=case(Price<prev_price,"Decline",Price>prev_price,"Increase",1=1,"No Change") | fields - prev_price
You can update the text that you want to show during increase or no change to blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated the query with the criteria and using transaction to get the duration of the event. But for some reason duration is showing 0. How can I create a query to get the Results counting "Decline" > 5 , get start and end time of the events.
"Decline Time 1" "10:06 to 10:11"
"Decline Time 2" "10:15 to 10:20"
| streamstats current=f window=1 values(Price) as prev_price
| eval Result=case(Price<10,"Decline",Price>10,"Increase",1=1,"No Change")
| transaction startswith=Result=Decline endswith=Result=Decline
| table Time Result Price duration
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, query looks good but the output is not as desired. I might need to do eval and look for avg and do comparison.
Price Result Expected
15 Increase
14 Increase
12 Decline
15 Increase
14 Increase
13 Increase
9 Increase Decline
7 Decline Decline
8 Increase Decline
6 Increase Decline
5 Increase Decline
4 Decline Decline
13 Increase
12 Decline
12 No Change
14 Increase
14 No Change
12 Increase
4 Decline Decline
9 Increase Decline
8 Increase Decline
6 Increase Decline
5 Increase Decline
1 No Change Decline
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What should be criteria? From you example, you only want to show Decline. Do you have any threshold for percent change OR a number? If yes, you just need to update the case statement accordingly.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
