Based on an event log we would like to find event type which frequency changed by 50% or more over a 5 min window.
Using my limited Splunk knowledge and heavy Googling, I came up with something like this:
index=index_of_events | eval cnt=1 | timechart span=20s limit=40 per_second(cnt) as ev by ev_typeuseother=f usenull=f |
streamstats window=40 global=false first(ev) as start last(ev) as end by ev_type |
eval diff=abs(start-end) | eval max_val=max(start, end) |
where diff > 0 AND max > 0 | eval prc=100*diff/max_val | where prc > 50
I'm getting reasonable output after `streamstats`, but then I'm losing the data.
Was it OK to pipe `timechart` directly into `streamstats`? Did I need `untable` (or something) in between?
How do I get it right?
↧