Dashboards & Visualizations

Using radial gauge for displaying event rate

asubramanian
Explorer

I am trying to create a radial gauge chart to display a particular event rate. Without aggregation the chart shows up but once i add avg by a timespan the chart becomes blank.

index="my_index"
"My Log"
 | bin _time span=1m
 | stats avg(count) by _time as rpm
 | gauge rpm 50 100 150 200 250

This query shows the chart but I want the rate not count.

index="my_index"
"My Log"
 | stats count as rpm
 | gauge rpm 50 100 150 200 250
0 Karma

niketn
Legend

@asubramanian what you are trying to do is not quite clear from your question and SPL shared. If you want to get average rate of your logs for selected time range aggregated together in the span of 1 min, you should use timechart first with span=1min and then perform average. For example: following run anywhere example is based on Splunk's _internal index. It gets data for last 60 min and performs a count of "INFO" logs every minute. It then performs an average of the same using stats (PS: timechart here will be of no use if the viz. is supposed to be Gauge).

index="_internal" sourcetype="splunkd" log_level="INFO" earliest=-60min
| timechart count span=1min
| bin _time span=1min
| stats avg(count) as rpm
| gauge rpm 50 100 150 200 250

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

asubramanian
Explorer

looks like I was using the new field assignment wrong. "Simple: stats (stats-function(field) [AS field])... [BY field-list]"
moving by towards the end worked.

Can you please elaborate why should i use timechart here before evaluating and how the avg is calculated there.

0 Karma

niketn
Legend

First off I had assumed that count is actually not a field that exist in your data so you would not have been able to perform avg(count) on your raw data. But seems like count is an actual field. However, besides that there is another reason for performing time chart first. Which depends on your actual use case and choice of Gauge visualization.

With radial gauge you can show only one value against various ranges you have defined.

Which is why, if your use case is to get the avg rpm for total count of every minute of data for the selected time period then you should bucket the count every minute and do a final average which is why I have used timechart of count per minute for selected time period and then performed final stats for average.

What you are doing is creating a trend of every minute of average count for selected time range. But showing the latest minute of average value in the Radial Gauge as it selects only the first value (not the entire trend). If this is the actual use case you can actual run the query for last 60 seconds and perform average and the output should be the same.

Hope the difference makes sense.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...