Solved: Re: Attempting to show output result overtime (Tim...

SecDesh · ‎03-01-2022

Good Morning,

I am attempting to use a TimeChart that will show me the ratio of my GET/POST HTTP requests within the span of 1 hour. However, the output in my TimeChart only displays the latest result, regardless of what time (I.E if the current ratio output is .75 as of 9:00pm, it will display as .75 for 8:00pm, even though it was .50 at 8:00pm). Here is current search query:

index=nsm source="/nsm/zeek/logs/current/*http*"
| eventstats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)
| timechart span=1h values(Ratio)

I've attempted many different things, including Time Modifiers, but so far no luck. This is the closest to get it to where I want, but it will not accurately display the Ratio of the previous time. Is here anyway around this?

somesoni2 · ‎03-01-2022

You're calculating ratio before the hourly aggregation can take place hence the wrong result. Try something like this:

index=nsm source="/nsm/zeek/logs/current/*http*"
| timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)
| table _time Ratio

View solution in original post

somesoni2 · ‎03-01-2022

You're calculating ratio before the hourly aggregation can take place hence the wrong result. Try something like this:

index=nsm source="/nsm/zeek/logs/current/*http*"
| timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)
| table _time Ratio

SecDesh · ‎03-01-2022

Exactly what I was looking for. As I was troubleshooting it initially, I tried doing a query like this:

index=nsm source="/nsm/zeek/logs/current/*http*"
| timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)

But it didn't dawn on me to use the table format. Leaving it as it was, only displayed the counts for the GET. Thank you for the explanation and the solution.

Edit: In the event you have an additional solution to this, I inserted the code that worked in the Search Query into a panel of a Dashboard. I am trying to display my Ratio and its trend with the 'Single Value' visualization however the results always return the value '1' with no overall time/trend showing. Even though using other visualizations such as line, bar, and stat graphs present the accurate information.

If I remove the ... | table _time, Ratio, it'll display only the GET count but it would be accurate in the Single Value visualization and display the overall time. Do you know a fix for this by chance?

Edit 2.0: Found the fix for this. I had to go into 'Format Visualization' -> 'Number Format' and set the 'Precision' to '0.00'. Again, thanks for your help.

ITWhisperer · ‎03-01-2022

index=nsm source="/nsm/zeek/logs/current/*http*"
| bin _time span=1h
| stats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST by _time
| eval Ratio=round(GET/POST, 2)

SecDesh · ‎03-01-2022

Your solution was close however the results presented seem to be the output of the division of GET/POST but not the ratio of GET/POST.

In other words, instead of displaying the ratio of GET/POST as .50, it displayed it as 1,381.

How to show output result overtime (TimeChart)?

timechart

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes