topic Re: Can you help me make a search string that returns a graph of a specific field over time? in Dashboards & Visualizations

Can you help me make a search string that returns a graph of a specific field over time?

aatha89 — Tue, 29 Sep 2020 21:31:00 GMT

I have an assignment, where the events under contents log measurements of diskusage of a Linux host.

The question is: what will the search query be here?

i need for example to make a search that makes a graph over field device_bandwith_utilization over time:

What i am thinking will be the correct answer is the following:

index="main" host="linux" collection="device_bandwith_utilization" 
|timechart values(collection), then choose the tab visualization

does this seems correct for you guys ?

i am not able to test this because this events are just on paper.

Re: Can you help me make a search string that returns a graph of a specific field over time?

VatsalJagani — Sun, 07 Oct 2018 07:12:26 GMT

@aatha89, What Add-on are you using to collect the data?

Re: Can you help me make a search string that returns a graph of a specific field over time?

back2root — Tue, 29 Sep 2020 21:31:06 GMT

If these are your only fields in the Event:

read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization

I do not see and field called collection so your query might more likely start with:

index="main" host="linux" device_bandwith_utilization=*

In addition you've used the values() function within timechart. That doesn't seem to make huge sense in this scenario as is may return to much values if you choose a larger timeframe.
What you whant to use are aggregate functions such as avg() min() max() p75()...

index="main" host="linux" device_bandwith_utilization=*
| timechart avg(device_bandwith_utilization) as "Average BW utilization"

Re: Can you help me make a search string that returns a graph of a specific field over time?

aatha89 — Sun, 07 Oct 2018 17:11:20 GMT

Thanks for clearing this up for me 🙂

Re: Can you help me make a search string that returns a graph of a specific field over time?

aatha89 — Sun, 07 Oct 2018 17:27:31 GMT

I just have this assignment on paper format, and havent been able to use any add-on

Re: Can you help me make a search string that returns a graph of a specific field over time?

aatha89 — Tue, 29 Sep 2020 21:31:15 GMT

@back2root I have some other questions which i have tried to answer, could you see if i am on the right path ?

1)Make a search that sums read_ops and write_ops(disk io) per event(log line)
Ans:
Index="main" host="host" read_ops="* "write_ops="*"
|eval sum = read_ops + write_ops

2) Make a search thats finds det heighest disk io for a time period
Ans:
Index="main" host="host" "write_ops="*"
|stats max(count) by write_ops

3)Make search finds wait_time over 10
Ans:
Index="main" host="host" wait_time="*" wait_time>10

4) Make a search that finds write_KB/write_ops and gives the overall average on the entire time
Ans:
Index="main" host="host" write_KB=""write_ops=""
|eval result=write_KB/write_ops //calculate
|stats avg(result) //the average of the result
|timechart count by result //For the entire search time

Re: Can you help me make a search string that returns a graph of a specific field over time?

aatha89 — Tue, 29 Sep 2020 21:31:18 GMT

@back2root i have some other questions which i have tried to answer, hope you can tell me if i am on right path.

1)Make a search that sums read_ops and write_ops(Disk io)
Ans:
index="main" host="linux" read_ops="" write_ops=""
|eval sum=read_ops+write_ops

2)Make a search that finds the heighest disk io for a time period
Ans:
index="main" host="linux" write_ops="*"
|stats max(count) by write_ops

3)Make search that finds the wait_time over 10
Ans:
index="main" host="linux" wait_time="*" wait_time>10

4)Make a search that finds write_kB/write_ops and gives the overall average for the entire search time
Ans:
index="main" host="linux" write_KB="" write_ops=""
|eval result = write_kB/write_ops //calculates
|stats avg(result) //finds the average
|timechart count by result // for the entire search time