- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to check the gradual increase of the value of ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to check the gradual increase of the value of a field which crosses 3 time increment
I have a requirement, where I need to display name of an queue, for which the size of the queue is keep on increasing. Basically I am searching for every 15 minutes, to check in each 5 minutes of time span, what is the size of my queue. If the size of the queue in each 5 minutes shows some gradual increase, I want that queue to be displayed. There may be the case first 10 minutes, it increase and again the 3rd time it may decrease. I dont want that kind of information. For example
Queue Name: XY
Size of the Queue in last 15 minutes:
1st 5 minute size - 10
2nd 5 minute size - 20
3rd 5 minute size - 30
4th 5 minute size - 35, etc.,
So in this kind of situation I want to check only the 15 minutes with 5 minutes time span and see whether there is any increment in the value of the field. If there is a positive growth in continuous 3 times, then I need to display that particular queue.
I have checked that streamstats will be helpful in this case. Can anyone please suggest me on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this anywhere:
| gentimes start=-1 increment=5m
| head 20
| eval _time = starttime
| eval queue = "queue1"
| table _time queue
| eval value = random()%20 + 20
| streamstats current=f window=1 last(value) as prev_value
| streamstats current=f window=1 last(prev_value) as prev_prev_value
| eval growing = if(value > prev_value AND prev_value > prev_prev_value,1,0)
look for where growing has a value of 1
note: might be other better and cleaner ways to achieve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adonio , I have tried this method but it is not giving me the expected one. Below is my current search query. Here we are comparing the current depth of the queue with a threshold limit which is fed through a lookup file. If possible please let me know any other ways to achieve this.
earliest=-5m@m index=* sourcetype=* host=prod*
|stats latest(DEPTH) AS "QueueDepth" latest(AGE) as "MessageAge" by QUEUE, _time
| lookup Queue_Threshold.csv QUEUE OUTPUT THRESHOLD_DEPTH, THRESHOLD_AGE
|eval Behaviour=case((QueueDepth > THRESHOLD_DEPTH AND MessageAge > THRESHOLD_AGE),"Abnormal",MessageAge > THRESHOLD_AGE, "Abnormal", 1=1,"Normal")
| search Behaviour="Abnormal" AND QueueDepth > 0
|stats latest(QueueDepth) as QueueDepth, latest(MessageAge) as MessageAge, max(THRESHOLD_DEPTH) as NormalThresholdQueueDepth, max(THRESHOLD_AGE) as NormalThresholdMessageAge by QUEUE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vnravikumar ,
Any suggestions on this?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
