https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223907#M7888 <P>Getting stdev is easy. The problem is to search based on 0-stdev in a sub period of the total search, because it is not 0 in the entire search period (in which case I can use an eventstat to identify them).</P> Mon, 14 Sep 2015 22:29:37 GMT yuanliu 2015-09-14T22:29:37Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223905#M7886 <P>I have a search that returns a large number of series of data to be displayed/analyzed easily. These series show three distinct patterns:</P> <OL> <LI>Flat at beginning, rugged after some time.</LI> <LI>Irregular throughout.</LI> <LI>Zero (flat) at beginning, rugged after some time.</LI> </OL> <P>I want to then search according to each pattern. This falls into pattern recognition, but for my purposes, a simple method to identify the flat beginning is good enough. In other words, I only need to "search those with flat beginning greater than 11", "search those with flat beginning of 0", and "search those that are neither." Is there a simple method to do this?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/655iF21CE270485A6AB9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 14 Sep 2015 20:36:15 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223905#M7886 yuanliu 2015-09-14T20:36:15Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223906#M7887 <P>You could try using multiple functions in your timechart command, along with some <CODE>| where</CODE> clauses. If you use the stdev function then you'll be able to detect the flat lines (since stdev would be 0). Take a look at: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonStatsFunctions</A></P> Mon, 14 Sep 2015 21:44:15 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223906#M7887 masonmorales 2015-09-14T21:44:15Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223907#M7888 <P>Getting stdev is easy. The problem is to search based on 0-stdev in a sub period of the total search, because it is not 0 in the entire search period (in which case I can use an eventstat to identify them).</P> Mon, 14 Sep 2015 22:29:37 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223907#M7888 yuanliu 2015-09-14T22:29:37Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223908#M7889 <P>I realize that the original question miss this info: The illustrated time pattern is produced by<BR /> | timechart count by ID<BR /> Some IDs fall into 1, some fall into 2, some fall into 3.</P> Mon, 14 Sep 2015 22:58:39 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223908#M7889 yuanliu 2015-09-14T22:58:39Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223909#M7890 <P>Assume</P> <PRE><CODE>yoursearchhere | timechart count by ID </CODE></PRE> <P>And you want to analyze the first 11 time periods reported by timechart, then do this</P> <PRE><CODE>yoursearchhere | bin span=1h _time | stats count by _time ID | appendpipe [ head 11 | stats stddev(count) as sdev avg(count) as avg by ID | eval pattern=case(avg&lt;.1,"Zero at beginning", sdev &lt; .25,"Flat at beginning", 1==1,"Other") | fields ID pattern ] | stats first(pattern) first(count) by _time ID </CODE></PRE> <P>I think this will give you a starting point. The <CODE>appendpipe</CODE> takes a copy of the data at that point in the execution pipeline, processes it and appends the results to the main pipeline. Oh, and I set the time interval to hours in the <CODE>bin</CODE> command - you could do this using <CODE>timechart</CODE> as you started, but I think it is easier to use <CODE>bin</CODE> and <CODE>stats</CODE>.</P> Mon, 14 Sep 2015 23:28:21 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223909#M7890 lguinn2 2015-09-14T23:28:21Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223910#M7891 <P>"head" and "appendpipe" (and first()) are what I missed. Thanks! (Now I want even more commands to zoom in any given internal:-)</P> <P>I just realize that "count by _time ID" does not give out 0 for missing values at the two ends. (Strangely, timechart always does.) I even tried fillnull to no avail. (I know this was encountered in another question, but fillnull seemed to have solved the problem.) Ideas?</P> Tue, 15 Sep 2015 19:50:29 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223910#M7891 yuanliu 2015-09-15T19:50:29Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223911#M7892 <P>Bah! I guess the timechart solution is better:</P> <PRE><CODE> yoursearchhere | timechart count by ID | untable _time ID count </CODE></PRE> <P>then <CODE>appendpipe</CODE> etc as before</P> <P>HTH!</P> Tue, 15 Sep 2015 23:41:50 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223911#M7892 lguinn2 2015-09-15T23:41:50Z https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223912#M7893 <P>Thanks, @lguinn. <CODE>untable</CODE> is such a handy command! I had previously asked about <A href="http://answers.splunk.com/answers/149425/how-to-produce-empty-time-buckets.html">filling leading zeros</A>, and got a slim but still lengthy method. (My memory lapsed when I said straight <CODE>fillnull</CODE> had worked. It hadn't.) Will test in other use cases.</P> <P>Note after <CODE>untable</CODE>, head will only return the number of events as in total, and not on a per ID basis. This is undesired. (For one, there could be more than 11 IDs.) So <CODE>untable</CODE> should be performed after <CODE>head</CODE> inside <CODE>appendpipe</CODE>. With this adjustment, and adding max() to criteria, I can use the following to group my IDs:</P> <PRE><CODE> yoursearchhere | timechart count by ID | appendpipe [ head 11 | untable _time ID count | stats stdev(count) as sdev max(count) as max by ID | eval pattern=case(max==0,"Zero at beginning", max&gt;0 and sdev &lt; .25,"Flat at beginning", 1==1,"No head pattern") | fields ID pattern ] | stats dc(ID) as Count by pattern </CODE></PRE> <P>Now, there is a tail pattern in my search, whereby some IDs disappears in the final time periods. When I tried to use the same <CODE>untable</CODE> technique, using <CODE>tail</CODE> in place of <CODE>head</CODE>, I got no IDs in. I'll submit as a new question for that one.</P> Wed, 23 Sep 2015 19:15:50 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-recognize-a-flat-pattern-in-a-given-time-period/m-p/223912#M7893 yuanliu 2015-09-23T19:15:50Z