Charting non indexed values

L064979 — Thu, 27 Feb 2014 04:27:17 GMT

I have a feed going into Splunk currently that follows a trend that looks like it starts at a very small number, then increases during the day until the middle of the day then back down to a small number. What i am wanting to do, is build a search that will look at this day 7 days ago, for every hour add 10% and minus 10% so that i have a threshold that i can chart on my chart for today.

Basically, i want: today's chart, a minimum and a maximum all in the one chart. With the max and min being 10% difference of the time 7 days ago. This is used to say that if the logs of today are more than last week, then it will show me as it will go over the 10% threshold of 7 days ago.

What functions does Splunk have to do this?

Re: Charting non indexed values

kristian_kolb — Thu, 27 Feb 2014 09:34:48 GMT

You need to search for the events that you want to chart, and then alter the timerange so that they can be charted together, that can be done in the old way with manually setting a 'marker' and then adding to the _time field (first example) or you can use the timewrap command, which can be found here as an app: http://apps.splunk.com/app/1645/

For these sample queries data from the _internal index have been used, so you can cut-n-paste these code samples directly to play around with them, as the _internal index is present on all splunk installations. Just make sure that you have the proper access rights.

| multisearch 
  [ search index=_internal sourcetype=splunkd earliest=-7d@d latest=-7d group=per_index_thruput series="_internal"  
   | eval marker="last_week"  ]     
  [ search index=_internal sourcetype=splunkd earliest=@d group=per_index_thruput series="_internal"  
  | eval marker="today" ] 
| eval _time = if(marker=="today", _time, _time + (7 * 86400)) 
| timechart span=1h avg(eps) by marker 
| where isnotnull(today) OR isnotnull(last_week) 
| eval last_week = round(last_week,2) 
| eval today = round(today,2)
| eval last_week_high = last_week * 1.10 
| eval last_week_low = last_week * 0.900 
| fields - last_week

Or using the timewrap command;

| multisearch 
  [search index=_internal sourcetype=splunkd series="_internal" earliest =-7d@d latest=-7d group=per_index_thruput] 
  [search index=_internal sourcetype=splunkd series="_internal" earliest=@d group=per_index_thruput] 
| timechart span=1h avg(eps) as avg_eps 
| timewrap d 
| where isnotnull(avg_eps_latest_day) OR isnotnull(avg_eps_7days_before) 
| eval avg_eps_today = round(avg_eps_latest_day,2) 
| eval low_last_week = round((avg_eps_7days_before * 0.900),2) 
| eval high_last_week = round((avg_eps_7days_before * 1.100),2) 
| fields + _time, avg_eps_today, low_last_week, high_last_week

NB:

You could also with a simpler search where you get all events from the last week and filter out the results after the timewrap command;

index=_internal sourcetype=splunkd earliest=-7d@d group=per_index_thruput series="_internal" 
| timechart span=1h avg(eps) as avg_eps
| timewrap d
| the rest of your commands for filtering out / manipulating fields

Hope this helps,

topic Re: Charting non indexed values in Splunk Search

Charting non indexed values

Re: Charting non indexed values