I want to know how to write search query in Splunk in order to check if the current search is greater than 20% of previous search. I am getting events on a particular count every 10 min. I want to check if my current count (for the last 10 min) is greater than 20% of my previous count(for the last 20 min). I need to use subsearch to make the comparison. But not getting result though. Can anyone help ?
Asked
Active
Viewed 117 times
-1
-
What does your data look like? What have you tried so far? – warren Sep 30 '20 at 21:01
1 Answers
0
I suggest saving the search results to a summary index. Then you can a separate search process the summary index looking for instances where the result is 120% of the previous result.
To save your search results to a summary index, add | collect <summary> to your existing search. <summary> is the name of an existing index that will receive the search results.
The search that will process the summary can use the streamstats command to process events.
index=summary
`comment("Change 'head' to 'tail' if the events are in reverse order")`
| head 2
`comment("Get the difference between the current value and the previous one")`
| streamstats range(foo) as diff
`comment("We don't know the previous value of foo so we need to work 'backward' to see if the current value is too big")`
| where (foo - diff) > (foo * 0.833)
RichG
- 4,202
- 1
- 12
- 23