We have splunk index for certain events. Events are categorized by event type.
I need to find fixed size (let say, 5 min) windows where frequency (events per second) of any events drops/rises more than a preset percentage (let say, 50%) as compared to a preceding window.
I, unsuccessfully, tried something like this:
index=index_of_events | eval cnt=1 | timechart span=20s limit=40 per_second(cnt) as ev by ev_type useother=f usenull=f | streamstats window=40 global=false first(ev) as start last(ev) as end by ev_type | eval diff=abs(start-end) | eval max_val=max(start, end) | where diff > 0 AND max > 0 | eval prc=100*diff/max_val | where prc > 50 Is it approach doable? Can I pipe timechart directly to streamstats or do I need something like untable between them?
Is there a better way to accomplish such task?
If possible I would also like to exclude low frequency events (do not care if 2/sec becomes 1/sec).
0 comments:
Post a Comment