Before and After graph (What-if)

winknotes · ‎04-14-2020

Hopefully I can explain this clearly. I'm trying to create a "what-if" dashboard. I'm trying to model moving a workload from one device to another. So the user could select a source device (dropdown), a destination device (second dropdown) and the workloads they want to move off the source device (multiselect dropdown). So just using IOPs as the metric, I'd like to display a graph that shows one line for current IOPs on the destination device along with a line that adds the IOPS from what's selected in the multiselect dropdown. This has proven to be quite difficult.

I've tried writing a single query to gather all of this to no avail. There has to be a way to do this but I sure can't think of one. Any ideas?

DalJeanis · ‎04-15-2020

Do you actually have the device.metric numbers broken out by workload?

| mstats max(device.metric1) AS IOPs 
    WHERE index=my_index 
    AND (device_name=destination_device OR device_name=source_device)
    span=5m by workloadname device_name
| eval State="Before"

This should give you events for every 5m increment that look like

| table _time workloadname device_name IOPs State

now we just have to put them together a different way

| appendpipe [|eval State="After" | eval device_name=if(workloadname="mysample","destination_device",device_name)]

that gives you two sets of events all in the same query.

| stats sum(IOPs) as IOPs by _time State device_name

And then you can present the results how you want.

winknotes · ‎04-16-2020

Thank you DalJeanis. This gives me a good start. I don't quite understand this line:

| appendpipe [| eval State="After" | eval device_name=if(workloadname="mysample", "destination_device", device_name)]

Specifically is "mysample" and "destination_device" literal strings or do those represent actual values? I guess I don't understand that line in general as you can probably tell by my question.

efavreau · ‎04-14-2020

@winknotes This sounds possible, but it would help if you showed your query, what it's resulting in, and a mock up of your desired state as well. This way we can help you change your query to go from where you to where you want to be.

###

If this reply helps you, an upvote would be appreciated.

winknotes · ‎04-15-2020

hehe i was trying to avoid the embarrassment of posting a query because frankly I can't find one that works. BUT here goes (keeping it generic). Also in the dashboard the values for device_name and workloadname would be represented by tokens, but for clarity I'm pretending this isn't part of a dashboard.

This would be the "before" query:

| mstats max(device.metric1) AS IOPs WHERE index=my_index AND device_name=destination_device span=5m
| timechart max(IOPs) as IOPs

This would be the query for the workloads that I'd like to add to the above values but can't figure out how to combine it all:

|mstats max(device.metric2) AS IOPs WHERE index=my_index AND workloadname=workload1 OR workloadname=workload2 span=5m by workloadname
| timechart sum(IOPs) as IOPs

This would produce a graph with two lines (again forgive the crude drawing). Not sure if my picture uploaded but if not just a line graph representing before and after is what I'm looking for.

Before and After graph (What-if)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life