Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me make a search string that returns a graph of a specific field over time?

aatha89
Explorer
‎10-06-2018 05:37 AM

I have an assignment, where the events under contents log measurements of diskusage of a Linux host.

read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization(%) \ fields

The question is: what will the search query be here?

i need for example to make a search that makes a graph over field device_bandwith_utilization over time:

What i am thinking will be the correct answer is the following: 

index="main" host="linux" collection="device_bandwith_utilization" 
|timechart values(collection), then choose the tab visualization

does this seems correct for you guys ?

i am not able to test this because this events are just on paper.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

back2root
Path Finder
‎10-07-2018 03:29 AM

If these are your only fields in the Event:

read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization

I do not see and field called collection so your query might more likely start with:

index="main" host="linux" device_bandwith_utilization=*

In addition you've used the values() function within timechart. That doesn't seem to make huge sense in this scenario as is may return to much values if you choose a larger timeframe.
What you whant to use are aggregate functions such as avg() min() max() p75()... 

index="main" host="linux" device_bandwith_utilization=*
| timechart avg(device_bandwith_utilization) as "Average BW utilization"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

back2root
Path Finder
‎10-07-2018 03:29 AM

If these are your only fields in the Event:

read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization

I do not see and field called collection so your query might more likely start with:

index="main" host="linux" device_bandwith_utilization=*

In addition you've used the values() function within timechart. That doesn't seem to make huge sense in this scenario as is may return to much values if you choose a larger timeframe.
What you whant to use are aggregate functions such as avg() min() max() p75()... 

index="main" host="linux" device_bandwith_utilization=*
| timechart avg(device_bandwith_utilization) as "Average BW utilization"
0 Karma
Reply
Solved! Jump to solution

aatha89
Explorer
‎10-07-2018 12:55 PM

@back2root i have some other questions which i have tried to answer, hope you can tell me if i am on right path.

1)Make a search that sums read_ops and write_ops(Disk io)
Ans:
index="main" host="linux" read_ops="" write_ops=""
|eval sum=read_ops+write_ops

2)Make a search that finds the heighest disk io for a time period
Ans:
index="main" host="linux" write_ops="*"
|stats max(count) by write_ops

3)Make search that finds the wait_time over 10
Ans:
index="main" host="linux" wait_time="*" wait_time>10

4)Make a search that finds write_kB/write_ops and gives the overall average for the entire search time
Ans:
index="main" host="linux" write_KB="" write_ops=""
|eval result = write_kB/write_ops //calculates
|stats avg(result) //finds the average
|timechart count by result // for the entire search time

0 Karma
Reply
Solved! Jump to solution

aatha89
Explorer
‎10-07-2018 12:37 PM

@back2root I have some other questions which i have tried to answer, could you see if i am on the right path ?

1)Make a search that sums read_ops and write_ops(disk io) per event(log line)
Ans:
Index="main" host="host" read_ops="* "write_ops="*"
|eval sum = read_ops + write_ops

2) Make a search thats finds det heighest disk io for a time period
Ans:
Index="main" host="host" "write_ops="*"
|stats max(count) by write_ops

3)Make search finds wait_time over 10
Ans:
Index="main" host="host" wait_time="*" wait_time>10

4) Make a search that finds write_KB/write_ops and gives the overall average on the entire time
Ans:
Index="main" host="host" write_KB=""write_ops=""
|eval result=write_KB/write_ops //calculate
|stats avg(result) //the average of the result
|timechart count by result //For the entire search time

0 Karma
Reply
Solved! Jump to solution

aatha89
Explorer
‎10-07-2018 10:11 AM

Thanks for clearing this up for me 🙂

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-07-2018 12:12 AM

@aatha89, What Add-on are you using to collect the data?

0 Karma
Reply
Solved! Jump to solution

aatha89
Explorer
‎10-07-2018 10:27 AM

I just have this assignment on paper format, and havent been able to use any add-on

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...