topic Re: Plot search data into a static chart template in Splunk Search

Plot search data into a static chart template

CarmineCalo — Sun, 14 Jan 2018 16:37:32 GMT

Splunkers!
Need your help again...

I need to plot the result of a standard events search into a static chart template, basically all the applications belonging to a specific domain vs Weeks in the observation period, see example below

AppID 2016-01 2016-02 2016-03 ...

App1
App2

The event search provide me only a subset of the combinations i have finally to plot in a table (all the empty combinations will be set to 1).

How can i do it?
My first idea was to append the the events all the list of AppIDs and timerange I need to plot, but:
1- I'm not able to do it (just leverage on the append function?)
2- It seems to me not a very clever idea...

Any help will be really appreciated,
tks in advance!

Re: Plot search data into a static chart template

gcusello — Sun, 14 Jan 2018 17:46:30 GMT

Hi CarmineCalo,
could you share few additional information?

Apps are few or many and changing?
why you cannot have in a search all the combinations, could you share your search?

Bye.
Giuseppe

Re: Plot search data into a static chart template

CarmineCalo — Tue, 29 Sep 2020 17:39:04 GMT

Ciao Giuseppe, Apps are around 4k.
They evolve over the time, but i assume to manage their domain through a lookup (they can be considered static during the search).

The final plot of the search will look like something like this one (I need to evaluate App unavailability time)

| stats sum(incident_unavailability) as Unavailability by dateweek_year, AppID

Currently this search works pretty fine, but it reports only dateweek_year and AppIDs that are part of the events (e.g. only ~2k AppIDs vs 4k total), and in general I'd like to have the full picture also when selecting different time ranges (at least for AppIDs, while dateweek_year should be limited to the time range selected)
I want that the final stats would include the full domain of AppIDs and dateweek_year that i need to monitor.

Tks!
Carmine

Re: Plot search data into a static chart template

gcusello — Tue, 29 Sep 2020 17:39:06 GMT

Ciao Carmine,
If you have a full list of dateweek_year, AppID, you can build a lookup (e.g. my_lookup.csv) with all these values and then use a search like this:

your_main_search
| stats sum(incident_unavailability) as Unavailability by dateweek_year  AppID
| append [ | inputlookup my_lookup.csv | eval count=0 | fields dateweek_year AppID count ]
| stats sum(incident_unavailability) as Unavailability by dateweek_year  AppID

In this way Unavailability=0 means that you haven't events.
After you can filter your results to show all the results or only errors, you can also display results in graphic mode (use Splunk 7.x Dashboard Examples App).

Bye.
Giuseppe

Re: Plot search data into a static chart template

CarmineCalo — Sun, 14 Jan 2018 21:18:22 GMT

Almost correct.
One more issue, domain for AppIDs and dateweek_year are in two different files.
How do i have to modify the append?

Last resort will be do create, manually, the permutation b/w AppIDs and dateweek_year and generate a new lookup table.

Tks in advance!
Carmine

Re: Plot search data into a static chart template

gcusello — Mon, 15 Jan 2018 07:33:39 GMT

Hi Carmine,
Let me understand: You have AppIDs and timerange in two tables and you want all the possible combination between the., is it correct?
The easiest way is to create a scheduled search to create Your lookup and then use the above search.
Bye.
Giuseppe

Re: Plot search data into a static chart template

CarmineCalo — Mon, 15 Jan 2018 08:41:39 GMT

Correct, AppIDs and Timerange are in two different tables.

How can i combine the two domains?
I've no clue about the function to be called...

Tks!

Carmine