- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Join events and evaluate difference price
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have data like this
I am joined uuid over market data together like that
But there is 4 times date column i want to show only one and i want to add price difference column like
Cex.io - koinim = 7280.10 - 7377.70 = 97.6 how can i achieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have three or more different markets at each point in time, so there are three or more different price differences. With a fourth market, there are six different price differences; with five, there are ten.
If I were you, for a dashboard, I would present two different panels, both using the same base search. The first panel would be the actual prices. The second would be the difference between the prices, in a specific order (you pick one).
Here's your base search...
sourcetype="coinmarketcap_csv" etc.etc.etc.
| eval market = upper(substr(market,1,3))
| eval {market} = price
| fields - vol* market
| stats first(_time) as _time values(*) as * range(price) as HILO by uuid
| fields - price
The above gives you BTC, CEX, KOI and PAR as your four prices, with HILO as the difference between top and bottom prices.
This section calculates the six differences. This is largely redundant, because any 3 encode all the rest. If you select one of them, for example BTC, as the "standard", then everything else stands in relationship to that standard, and you would only need the first three lines.
| eval BTCCEX = BTC - CEX
| eval BTCKOI = BTC - KOI
| eval BTCPAR = BTC - PAR
| eval CEXKOI = CEX - KOI
| eval CEXPAR = CEX - PAR
| eval KOIPAR = KOI - PAR
See if the above helps you get what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have three or more different markets at each point in time, so there are three or more different price differences. With a fourth market, there are six different price differences; with five, there are ten.
If I were you, for a dashboard, I would present two different panels, both using the same base search. The first panel would be the actual prices. The second would be the difference between the prices, in a specific order (you pick one).
Here's your base search...
sourcetype="coinmarketcap_csv" etc.etc.etc.
| eval market = upper(substr(market,1,3))
| eval {market} = price
| fields - vol* market
| stats first(_time) as _time values(*) as * range(price) as HILO by uuid
| fields - price
The above gives you BTC, CEX, KOI and PAR as your four prices, with HILO as the difference between top and bottom prices.
This section calculates the six differences. This is largely redundant, because any 3 encode all the rest. If you select one of them, for example BTC, as the "standard", then everything else stands in relationship to that standard, and you would only need the first three lines.
| eval BTCCEX = BTC - CEX
| eval BTCKOI = BTC - KOI
| eval BTCPAR = BTC - PAR
| eval CEXKOI = CEX - KOI
| eval CEXPAR = CEX - PAR
| eval KOIPAR = KOI - PAR
See if the above helps you get what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works thanks; but i want to learn how it is work
| eval market = upper(substr(market,1,3))
It takes first 3 charcter ok.
| eval {market} = price
what that mean { }
| fields - vol* market
it doesnt show vol and market
| stats first(_time) as _time values() as * range(price) as HILO by uuid
get first time as time ok
values() as * for what?
* range(price) as HILO by uuid and i dont understand?
| fields - price
dont show price
| eval BTCCEX = BTC - CEX
it works and also i am add
| eval BTCCEX = BTC - CEX | search BTCCEX > 50
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The curly braces {} will take whatever value is in the variable and use that as the name of a new variable.
stats values(test*) as val* by something will take each variable that starts with test, and will create a variable that starts with val, that contains all the values (up to 100). So, for instance, test1 becomes val1, testfoo becomes a variable valfoo.
stats values(*) as * will take every field that isn't already part of the by and roll together all the values (up to 100) into the same field name.
And that is the reason for the fields - command before it... I don't want the system to spend any CPU time on the fields I am getting rid of.
range(price) as HILO The range() is the difference between the highest and lowest values of something. In this case, the highest price and the lowest price. So that's your maximum delta. You didn't really ask for it, but I'd put it there when working through your needs, and never took it out after I figured that you had several prices.
The best way to understand what each line of code does is to start with the top selection criteria, add a | head 10 to get the first ten records of data, and then add back one line at a time, and see how that line transforms the data. Seems like you did some of that. Well done in figuring out what you did.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
everything is fine except curly brances{ }
I understand it is like an array we can put some variables into single variable?
Am i correct?
If i am wrong, that means it is only a new variable.
what is the differnce between
eval {market} = price
eval market = price
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which time you want to show (from which market)? Is the price diff columns (market names) are fixed?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
