topic Re: Track growth on new items within a time range using a timechart in Splunk Search

Track growth on new items within a time range using a timechart

clintla — Thu, 05 Dec 2019 18:19:30 GMT

I've tried various attempts at this with no joy. I'm simply trying to create a chart where I can specify w/ the time picker a time range & I can track growth of 1000 or more VMs.

If a VM was at the start and end of the time range, it works fantastic.

The problem is per the screenshot where if a new VM is created (this one created on 11/16) & you compare earliest w/ latest, it doesnt take in consideration that the beginning of the time picker (11/5) that the VM was not present & the capacity used is ZERO (0).

If I use the time picker to choose a range of 11/5 through 11/20, All I can get is a growth of (-84) but the growth should show 13504 because it started with 0 on 11/5

Is there a simple solution for this? I plan on removing just searching for VM1 & want to be able to compare all our VMs to see what VMs grew/shrank the most over whatever time period (using the time picker) I choose.

Re: Track growth on new items within a time range using a timechart

dindu — Thu, 05 Dec 2019 19:31:48 GMT

Hi ,

Could you please try the below solution.
It is also recommended to look into "trendline" command based on your requirement.

Please try the below option and let us know.

 |your_search
 |table _time,disk_space_used,name
 |fillnull value=0 disk_space_used
 |timechart span=1d values(disk_space_used) AS CapacityUsed BY name

Re: Track growth on new items within a time range using a timechart

clintla — Thu, 05 Dec 2019 19:41:09 GMT

when you table it like that.. it drops all the zeros (0s)... same problem I've run into with various attempts.

Its like when you use fillnull that they are all fake 0's.

but I'd like a chart that outputs for time picker ranges from 11/5 to 11/20
VM, capacity growth
vm1 13389

Re: Track growth on new items within a time range using a timechart

clintla — Thu, 05 Dec 2019 19:43:36 GMT

| table _time,disk_space_used,name
| fillnull value=0 disk_space_used
| timechart span=1d values(disk_space_used) AS Capacity BY name

Output

_time   vm1

1 2019-11-05

2 2019-11-06

3 2019-11-07

4 2019-11-08

5 2019-11-09

6 2019-11-10

7 2019-11-11

8 2019-11-12

9 2019-11-13

10 2019-11-14

11 2019-11-15

12 2019-11-16 13588
13 2019-11-17 13618
14 2019-11-18 13622
15 2019-11-19 13428
16 2019-11-20 13389
17 2019-11-21 13457
18 2019-11-22 13478

Re: Track growth on new items within a time range using a timechart

clintla — Thu, 05 Dec 2019 19:57:48 GMT

When I try this
| table _time,disk_space_used,name | timechart span=1d values(name), values(disk_space_used) AS Capacity | fillnull value=0 Capacity

The problem is that the name isnt continued.. maybe thats why it never assigned a prevalue of 0

5 2019-11-09 0
6 2019-11-10 0
7 2019-11-11 0
8 2019-11-12 0
9 2019-11-13 0
10 2019-11-14 0
11 2019-11-15 0
12 2019-11-16 vm1 13588
13 2019-11-17 vm1 13618
14 2019-11-18 vm1 13622
15 2019-11-19 vm1 13428
16 2019-11-20 vm1 13389
17 2019-11-21 vm1 13457
18 2019-11-22 vm1 13478
19 2019-11-23 vm1 13519
20 2019-11-24 vm1 13504
21 2019-11-25 vm1 13505

Re: Track growth on new items within a time range using a timechart

woodcock — Thu, 05 Dec 2019 21:24:41 GMT

You can use the accum command with bin to build the bits that you need:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum

Re: Track growth on new items within a time range using a timechart

clintla — Thu, 05 Dec 2019 21:34:39 GMT

But if the server didnt exist in the beginning of the time frame & you ping for the earliest value of a VM.. even if you use accum.. the first value will still not be 0 right? All accum does is take existing values.. the problem is the VM doesnt exist at the beginning of the selected time so its just going to have no values & it will still chose the first value which is not 0 & therefore incorrect.. right?

Re: Track growth on new items within a time range using a timechart

woodcock — Thu, 05 Dec 2019 23:26:57 GMT

This is the Sentinel Search problem discussed (with solution) here:
https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf

Re: Track growth on new items within a time range using a timechart

clintla — Wed, 30 Sep 2020 03:21:02 GMT

How does this create 0's? I have a lookup (YearVM) that creates a list of all VM's existing for a year (which Is what I think you are doing ad-hoc for the append command per below)

Let’s use our lookup to add in the missing items
sourcetype=access_combined action=purchase
| stats sum(price) as revenue by productID
| inputlookup append=true productIDs
| chart sum(revenue) as revenue by productID

When I try it on a "Year to Date" on a VM that was created in July it simply lists all the values, no 0's.

| lookup YearVM NAME1 as name OUTPUT NAME1 as lookupname
| stats values(disk_space_used) as Start by lookupname
| chart min(Start) by lookupname

lookupname min(Start)
vm1 3

vm1 should have a minimum of 0 since Jan 1, it was not created yet.