Dashboards & Visualizations

Using radial gauge for displaying event rate

asubramanian
Explorer

I am trying to create a radial gauge chart to display a particular event rate. Without aggregation the chart shows up but once i add avg by a timespan the chart becomes blank.

index="my_index"
"My Log"
 | bin _time span=1m
 | stats avg(count) by _time as rpm
 | gauge rpm 50 100 150 200 250

This query shows the chart but I want the rate not count.

index="my_index"
"My Log"
 | stats count as rpm
 | gauge rpm 50 100 150 200 250
0 Karma

niketn
Legend

@asubramanian what you are trying to do is not quite clear from your question and SPL shared. If you want to get average rate of your logs for selected time range aggregated together in the span of 1 min, you should use timechart first with span=1min and then perform average. For example: following run anywhere example is based on Splunk's _internal index. It gets data for last 60 min and performs a count of "INFO" logs every minute. It then performs an average of the same using stats (PS: timechart here will be of no use if the viz. is supposed to be Gauge).

index="_internal" sourcetype="splunkd" log_level="INFO" earliest=-60min
| timechart count span=1min
| bin _time span=1min
| stats avg(count) as rpm
| gauge rpm 50 100 150 200 250

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

asubramanian
Explorer

looks like I was using the new field assignment wrong. "Simple: stats (stats-function(field) [AS field])... [BY field-list]"
moving by towards the end worked.

Can you please elaborate why should i use timechart here before evaluating and how the avg is calculated there.

0 Karma

niketn
Legend

First off I had assumed that count is actually not a field that exist in your data so you would not have been able to perform avg(count) on your raw data. But seems like count is an actual field. However, besides that there is another reason for performing time chart first. Which depends on your actual use case and choice of Gauge visualization.

With radial gauge you can show only one value against various ranges you have defined.

Which is why, if your use case is to get the avg rpm for total count of every minute of data for the selected time period then you should bucket the count every minute and do a final average which is why I have used timechart of count per minute for selected time period and then performed final stats for average.

What you are doing is creating a trend of every minute of average count for selected time range. But showing the latest minute of average value in the Radial Gauge as it selects only the first value (not the entire trend). If this is the actual use case you can actual run the query for last 60 seconds and perform average and the output should be the same.

Hope the difference makes sense.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...