- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Using Timewrap to get a baseline of where the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Timewrap to get a baseline of where the average traffic should be in a time chart based on a week ago and 2 weeks ago
index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC Allow | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb
Using the timewrap app, I was trying to provide a baseline of what the traffic should be withtin a 30 minute window based on the same 30 minute window from the past 2 weeks ago on the same day. (Ex: compare the current 30 minute window of Wednesday to the a week and two weeks ago 30 minute window of wednesday) Above is my current search that presents a timechart showing Megabits per second over the last 30 minutes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jaywilwk,
how about this:
index=proxysg sourcetype=proxysg earliest=-3w@w latest=-0w@w
| eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC")
| search Category=IBC Allow
| timechart span=30m per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb
| timewrap w | where strftime(_time, "%A") == "Wednesday"
btw, this is taken form the timewrap docs
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jaywilwk,
take this run everywhere example and adapt it to your needs:
index=_internal source=*metrics.log series="splunkd" earliest=-2w@w | timechart span=30m avg(kbps) as avg_kbps by series | timewrap w | eval myTime=relative_time(now(), "-30m@m") | where _time>=myTime
this will compare the last 30 minutes with the last two weeks at the same 30 minutes.
Please mark this as answered by ticking the tick - thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay, I can only show you the way to go but I cannot solve your problems, because I don't have your real world events available.
Your base search must go over the last two weeks and you probably need to do some additional filtering in the end to get back only those last 30min
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want the timechart to show the current Mb/s average for the last 30 minutes and also show the average same 30 minutes from the last 2 weeks.
Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...
AppDynamics is now part of Splunk Ideas
Advanced Splunk Data Management Strategies
