Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Archive

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

ErikaE

Communicator

07-01-2015
02:44 PM

I have data coming in from a sensor that comes in the format unit/unit time, where I have a field value pair for the rate recorded and several field value pairs describing the time of the event. The rate is not recorded at a fixed interval in time.

If I want to use this rate to estimate total units over a specific time period, how can I accomplish that? Put another way, I want to be able to sum under a rate curve. I plotted a time series plot like so:

```
sensor | timechart span=5m avg(Value)
```

Thanks!

1 Solution

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

bmacias84

Champion

07-01-2015
02:53 PM

*minute(x), per*hour(x), per*day(), or per*second(x) available in the timechart command.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

ErikaE

Communicator

07-06-2015
07:31 AM

Here's my attempt:

```
sensor | timechart span=5m per_minute(Value) | eval rectsum=(per_minute(Value)/c)
```

It's still not getting at what I'm trying to do, which is basically (for a start) rectangular integration. Trapezoidal integration would be better, but I figured that I would start with rectangular and build from there.

It looks like the per_* commands are incompatible with eval, which is what I think I'd need next to do the calculation.

https://en.wikipedia.org/wiki/File:Integration_rectangle.svg

https://en.wikipedia.org/wiki/File:Integration_trapezoid.svg

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

bmacias84

Champion

07-06-2015
08:40 AM

What is c? per*minute is a only available as a timechart function, but your eval is implemented incorrectly. per*minute(value) should be treated as a column/field name not a function. You either have to use the quotes or the as command.

```
sensor | timechart span=5m per_minute(Value) | eval rectsum=("per_minute(Value)"/c
OR
sensor | timechart span=5m per_minute(Value) as per_min | eval rectsum=(per_min/c)
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

ErikaE

Communicator

07-06-2015
09:54 AM

Yep, it was implemented incorrectly. I am just getting started with splunk and having a hard time with the learning curve. My background is process-oriented.

c is a constant that corrects the rate to the correct units/time.

Highlighted
##

If @bmacias84's guess isn't what you're looking for you should post some sample data along with desired results.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

martin_mueller

SplunkTrust

07-01-2015
03:04 PM

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

ErikaE

Communicator

07-06-2015
07:31 AM

Unfortunately posting sample data is not an option, but I did include some reference images for what I'm trying to do--basically numerical integration.

Thanks!

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

acharlieh

Influencer

07-06-2015
09:44 AM

If I'm understanding what you want... Trapezoidal integration will probably be easiest and here's a first pass at a solution that I came up with. I'll note that I'm assuming Value is rate in seconds since that's the units of _time, you'll need a conversion if it's a rate for a different time unit.

```
sensor | table _time Value | reverse
| streamstats last(Value) as lastValue last(_time) as lastTime current=f window=1
| eval area=(_time - lastTime)*(Value+lastValue)/2
| streamstats sum(area) as total
| timechart span=5m max(total) as total
```

First line is your search, we use table to remove all of the fields other than Value and _time as we need no others (we could use fields which would be able to be distributed and would be faster, but at the cost of a more verbose search here), and we reverse the results to be oldest to newest.

On the second line, we use streamstats to gather the point immediately previous to the current point.

Using this data on the third line we can now calculate the area of each trapezoid to get the estimated number produced in between each sensor sampling.

Now that we have the areas, we can use streamstats again (4th line) to sum the areas to get the running total of how many produced during our time period and finally we use timechart to make a regular graph of rates.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

martin_mueller

SplunkTrust

07-06-2015
09:45 AM

I was just about to post that :<

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Totalize a Rate Over Time

ErikaE

Communicator

07-06-2015
09:59 AM

Works great! Can you provide an example of conversion if the rate is not in units/seconds? For example, if value was in unit / minute instead of unit / second?

Thanks!!!

Speak Up for Splunk Careers!

Career Survey Now!