Hi,
I'm looking to do something like this:
Take a search, with three fields, one being a count (ExceptionClass, Class (these two fields are extracted from the same single event), count(Class) during a 10minute time period, take that same search to get data from 20m to 10m ago, and then compare the differences between the two results. Now, where I'm having issues is figuring out which function to use; set diff, append, or whatever
Basically, here's a similar scenario:
In a 10m to now search, you pull up all your http events and count each one. So, let's say, your first search comes with the counts below:
http 500 - 30
http 401 - 20
http - 200 - 50
http 201 - 50
Then, you take that same search from the earliest being 20m ago and the latest 10 min ago and get the counts below:
http 401 - 5
http 200 - 5
http 201 - 5
I want a table that outputs like this:
http 401 - 25
http 200 - 55
http 201 - 55
In this case, the second search didn't produce any http 500 codes so I want that result dropped off from my final output while the others that did appear, had their counts added together.
A rough search I have so far is:
index=dynatrace-exceptions set diff [search index=dynatrace-exceptions App=EDPPS1 earliest=-10m latest=now | stats count(Message) by ExceptionClass, Message] [search index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=-10m | stats count(Message) by ExceptionClass, Message] | table count(Message) by ExceptionClass, Message
Not even sure Splunk can do this, so any direction would be great!
Ryan
Give this a try
index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=now
| eval period=if(_time>=relative_time(now(),"-10m"),"current","previous")
| eval commonfield=ExceptionClass."##".Message
| chart count(Message) over commonfield by period
| eval difference=previous-current
| rex field=commonfield "(?<ExceptionClass>[^#]+)##(?<Message>.+)"
| table Exception Class Message difference current previous
Give this a try
index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=now
| eval period=if(_time>=relative_time(now(),"-10m"),"current","previous")
| eval commonfield=ExceptionClass."##".Message
| chart count(Message) over commonfield by period
| eval difference=previous-current
| rex field=commonfield "(?<ExceptionClass>[^#]+)##(?<Message>.+)"
| table Exception Class Message difference current previous
Good one. Thanks.
This worked! Never thought of doing it this way. Thank you!