topic Re: how to get trend on a field from the logs in Splunk Search

how to get trend on a field from the logs

ashishv — Sat, 18 Dec 2010 05:56:41 GMT

Hello i am new to splunk, i have this script that runs every minute and appends a log, it looks like this:

11:05:01@12-17-10       LogName=IntroscopeEnterpriseManager.log PreviousCount=828557  CurrentCount=828559 LineCount=2
11:05:01@12-17-10       LogName=perflog.txt PreviousCount=28919  CurrentCount=28923 LineCount=4
11:06:01@12-17-10       LogName=tessperflog.txt PreviousCount=29174  CurrentCount=29178 LineCount=4
11:06:01@12-17-10       LogName=IntroscopeEnterpriseManager.log PreviousCount=828559  CurrentCount=828598 LineCount=39
11:06:02@12-17-10       LogName=perflog.txt PreviousCount=28923  CurrentCount=28927 LineCount=4

what i want is a create a TREND report on value of LineCount for each Log, there are 3 logs and i want to trend the LineCount by each log\

\thanks Ashish

Re: how to get trend on a field from the logs

sideview — Sat, 18 Dec 2010 06:01:12 GMT

Given what you've said I think you might try this simple search:

sourcetype="<your sourcetype here>" | stats sum(LineCount) by LogName

or if you want to see the counts over time by each log:

sourcetype="<your sourcetype here>" | timechart sum(LineCount) by LogName

What also strikes me is that early on, new users often think they have to write scripts. Sometimes they write a script that parses logfiles and later discover that it's vastly easier to just index the entire log in splunk, get slightly fancier with the splunk search language and throw away their script....

but that's only a suggestion. There can obviously be quite good reasons to go in the direction of custom scripting.

Re: how to get trend on a field from the logs

ashishv — Sat, 18 Dec 2010 06:21:40 GMT

HI Nick,
thanks for a quick response; intent of this script is to check the line count of these logs and if there is a deviation of 20% in the line count from now to last value, it creates a new log of last 200 lines from that moment and splunk picks it up.
as i mentioned that i am still new to this whole setup and dont want to consume splunk licenses unnecessarily with logs that are of value only when there is an issue.

Coming back to ur response, i did try that and it doesnt suffice the needs... here's what i was looking:

log1: 5 6 7 8 1 23 100
log2: 5 3 7 8 5 3 45
log2: 3 1 7 324 12 23

Re: how to get trend on a field from the logs

sideview — Sat, 18 Dec 2010 06:36:08 GMT

OK. I understand what your script is doing. But I dont think I understand what you want the splunk search to do. Can you update your question with more detail?

Re: how to get trend on a field from the logs

ashishv — Sat, 18 Dec 2010 06:42:28 GMT

what i want Splunk to do is draw a trend chart of LineCount by Each LogName, almost similar to how UNIX app does chart for CPU for different Hosts.
so instead of a CPU i want to plot fiedl LineCount... not sure if this help?

thanks
ashish

Re: how to get trend on a field from the logs

chenlevi21 — Wed, 27 Nov 2013 10:32:09 GMT

Did you ever get a reply on this?