topic Re: stats vs timechart in Splunk Search

stats vs timechart

apillai01 — Fri, 07 Apr 2017 19:58:35 GMT

i am getting two different outputs while using stats count( 1hr time interval) and timechart count span=1h. I was using timechart to showcase the trend for the previous hour too.

Highly appreciate your comments

Re: stats vs timechart

aaraneta_splunk — Fri, 07 Apr 2017 20:18:01 GMT

@apillai01 - Could you provide more information as to what your intended result should be? It is not clear from your question. Please leave a comment below.

In general, your question has a greater chance of being answered by experts in the Answers community when when you provide as much information and context as possible. Thanks.

Re: stats vs timechart

apillai01 — Fri, 07 Apr 2017 20:24:17 GMT

i am trying to create a dashboard with two views
1. Count of Faults for the current hour
2. Fault trend current vs previous hour

Re: stats vs timechart

somesoni2 — Fri, 07 Apr 2017 20:42:42 GMT

What is the current search (at least provide some sudo code) and the time range used in both the searches? My guess is the timechart's bucket is different (it takes full hour) than what stats is considering and it's because of time range used.

Re: stats vs timechart

apillai01 — Fri, 07 Apr 2017 20:52:35 GMT

current search code: index = sourcetype = * ServiceName=""OperationName="" Fault=true FaultCode="XXXXX"|stats count as Total
Trend( compare current hr vs previous hr): index = sourcetype = * ServiceName=""OperationName="" Fault=true FaultCode="XXXXX"|timechart count span=1h

both the case i am using time range as 1 hour

Re: stats vs timechart

somesoni2 — Fri, 07 Apr 2017 20:58:44 GMT

For Trend, shouldn't you be using time range as 2 hours, one for current hour and one for last hour? Also, when you say current hour, if now is 2:30PM, you want to count 2:00 to 2:30 OR 1:30 to 2:30?

I'm guessing this is what you want but check,

index = sourcetype = ServiceName=""OperationName="*" Fault=true FaultCode="XXXXX" earliest=@h |stats count as Total

index = sourcetype = ServiceName=""OperationName="*" Fault=true FaultCode="XXXXX" earliest=-1h@h |timechart count span=1h

Re: stats vs timechart

DalJeanis — Fri, 07 Apr 2017 22:36:24 GMT

In order to show a trend at a granularity of an hour, you should probably be using a smaller span.

This counts 10 pulses per hour, and then calculates how many faults there had been for the prior 60 minutes at the end of that pulse.

 index= sourcetype=* ServiceName="*" OperationName="*" Fault=true FaultCode="XXXXX" 
| bin _time span=6m
| stats count as pulsecount by _time
| streamstats window=10 sum(pulsecount) as hourcount

This counts 10 pulses per hour, and then calculates that hour's simple moving average of the number of faults in each 6-minute pulse.

 index= sourcetype=* ServiceName="*" OperationName="*" Fault=true FaultCode="XXXXX" 
| bin _time span=6m
| stats count as pulsecount by _time
| trendline sma10(pulsecount) as sma10

For both of the above, you would start with earliest=-3h or so, in order to have an established trend at the -2h point, and then put a where clause at the end to eliminate records that were too old to consider.

Re: stats vs timechart

woodcock — Fri, 07 Apr 2017 23:28:49 GMT

The timepicker probably says Last hour which is -60m@m but time chart does not use a snap-to of @m; it uses a snap-to of @h. To make them match, try this:

Your search here earliest=-2h@h latest=-1h@h | stats count

And compare that to this:

Your search here earliest=-2h@h latest=-1h@h | timechar span=1h count

Re: stats vs timechart

apillai01 — Sat, 08 Apr 2017 01:52:11 GMT

Thanks, it worked!

Re: stats vs timechart

woodcock — Sun, 09 Apr 2017 14:03:39 GMT

Also check out the difference of this with bin:

Your search here earliest=-3h@h latest=-1h@h | bin _time span=1h | stats count