We have events from several hosts. We want to get the difference in the value of the field between two different times by each host and process. And also compare those two Values and display only those values which are higher than those of the previous time period.
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m|stats avg(Value) AS Val1 by host process_name | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m]
I have tried this in some other ways too, but I am not able to display the Value for the current time period.
Hi @omprakash9998
Give this a try
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
| stats avg(Value) AS older by host process_name
| append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
| stats latest(older) as older latest(newer) as newer by host process_name
| where newer > older
A better way would be to use something like bins
to bucket your samples into groups, but the above should suffice
Hi @chrisyoungerjds
The search returns "No results found". But there is a definite difference if the Value for the two time periods. i ran them individually and checked.
Thanks,
om
If you cut the search down to this, does it work?
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
| stats avg(Value) AS older by host process_name
| append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
| stats latest(older) as older latest(newer) as newer by host process_name
Now, it is populating the table with the fields host, process_name, older and newer. But the Older and newer columns are empty.
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
| stats avg(Value) AS older by host process_name
| join [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
| table host, process_name, older, newer
i used join in the place of append and used the table command at the end instead of stats and it works for now.