topic Re: Performing calculations on multi values to show on timechart in Splunk Search

Performing calculations on multi values to show on timechart

nishantmishra21 — Tue, 29 Sep 2020 15:03:15 GMT

Hi All, need some insight and help.

I have a MQ like objects, information regarding which is forwarded into splunk at every 5mins.

Now events looks something like this:

2017-05-10 09:00.000||queue_name=MQ1||count_rec=100
2017-05-10 09:05.000||queue_name=MQ1||count_rec=110
2017-05-10 09:10.000||queue_name=MQ1||count_rec=110
2017-05-10 09:15.000||queue_name=MQ1||count_rec=130
2017-05-10 09:00.000||queue_name=MQ2||count_rec=30
2017-05-10 09:05.000||queue_name=MQ2||count_rec=60
2017-05-10 09:10.000||queue_name=MQ2||count_rec=100
2017-05-10 09:15.000||queue_name=MQ2||count_rec=100

Events are in revese chron. Order and even the fields are getting extracted. Rec_count is the number of data published to the MQ, this is the only info i could get.
So difference between value in current with prev. Events would give the count of data came in in last 5mins.

Now i am trying to show on timechart the number of records coming to the MQ over a span.

Is it possible, what should be the approach for this?

Re: Performing calculations on multi values to show on timechart

woodcock — Tue, 25 Jul 2017 15:33:46 GMT

As long as _time is correct (matches what is in the event), order doesn't matter; just do this:

Your Base Search Here | timechart avg(count_rec) BY queue_name

Or perhaps you need sum or max instead of avg and you might need a span= if you don't like what is automatically selected for you.

Re: Performing calculations on multi values to show on timechart

nishantmishra21 — Tue, 25 Jul 2017 15:48:59 GMT

Could try, buy each event is the record count, i would need difference between the event and prior record count, in order to get exact number of records for the particular event. Post which i might use first() and then plotbon timechart.

How to get the difference?

Re: Performing calculations on multi values to show on timechart

DalJeanis — Tue, 25 Jul 2017 21:25:53 GMT

Try this ...

your search that gets _time, queue_name and count_rec
| bin _time span=5m
| stats max(count_rec) as count_rec by queue_name _time 
| streamstats current=f last(count_rec) as prev_count by queue_name
| eval new_recs = count_rec - prev_count
| timechart span=5m sum(new_recs) by queue_name

If the records all have _times that are exactly on the 5 min mark, then the bin is probably not needed.

Re: Performing calculations on multi values to show on timechart

woodcock — Tue, 25 Jul 2017 22:19:46 GMT

OK, like this:

your search that gets _time, queue_name and count_rec
| timechart range(count_rec) AS increase_in_this_span BY queue_name