Need to compare the last hour values of the fields...

kartm2020 · ‎09-12-2019

Hi,
We are monitoring the transaction count. I need to verify the results of last one hour, if there is any decrease in the count the alert needs to be generated.
For example :
7 AM to 8 AM - transaction count with fields
8 AM to 9 AM - I need to verify the fields values with 7AM to 8AM field values. If the count get decreased alerts needs to notified.
How to write the search for this scenario.?
Please suggest

kartm2020 · ‎09-12-2019

Great. Thank you. How can i compare the fields values with 1hour_before with latest fields values

gcusello · ‎09-12-2019

Hi kartm,
did you explored the timewrap command? ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Timewrap )

your_search
| timechart count span=1h 
| timewrap 1hour

Bye.
Giuseppe

gcusello · ‎09-12-2019

Hi kartm,
if this answer satisfies your need, please, accept and/or upvote it.
Bye, see next time.
Giuseppe

kartm2020 · ‎09-13-2019

How can i compare the fields values with 1hour_before with latest fields values

gcusello · ‎09-13-2019

try something like this:
you must adapt your search creating something like this

index=_internal earliest=-3h@h latest=-h@h
| timechart count
| timewrap 1h

Bye.
Giuseppe

kartm2020 · ‎09-13-2019

Hi Giuseppe,
It is giving the expected result. But i need the difference the two fields and results should be in the third field as a percentage.

gcusello · ‎09-13-2019

Try this

index=_internal 
| timechart span=1h count
| delta count AS Delta
| eval deltaPerc=Delta/count*100

Bye.
Giuseppe

Need to compare the last hour values of the fields with current one hour

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life