I have a field that should be increasing - though not monotonically increasing.
a=1
a=4
a=9
a=13
a=14
a=10
a=101
I want to alert if the number gets smaller. Here's my attempt at this.
index="myindex" | stats max(a) as maxnum | where a < maxnum
That doesn't find it because the number never decreases below 101. However, even if I change the query, it doesn't find any rows!
index="myindex" | stats max(a) as maxnum | where a < (maxnum-100)
Obviously, that doesn't do what I want. But it was an interesting diagnosis. I was inspired by this question, but I can't change it to do what I want. Can/should I do this with a subsearch?
You might be able to do this with "delta" search operator.
http://www.splunk.com/base/Documentation/latest/SearchReference/Delta
Basically, do a search similar to:
index="myindex" | delta a as a_delta | where a_delta < 0
You might be able to do this with "delta" search operator.
http://www.splunk.com/base/Documentation/latest/SearchReference/Delta
Basically, do a search similar to:
index="myindex" | delta a as a_delta | where a_delta < 0
delta is precisely what I needed. Streamstats might too, but delta was even easier!
You could do it with streamstats too, but delta is the simplest approach.