Getting Data In

Visualization that takes into account time of day

myoung54
Explorer

Hey all,

So I'm kind of scratching my head on this, and any kind of guidance would be extremely helpful!
Alright, so I have a dashboard with a stoplight visualization that looks at volume of a particular thing. Volume high=Good, Volume low=Outage, and anything in-between = Degraded. I have it working perfectly fine now, but my company is 24/7 and volume is not at the same levels at night as it is during the day, so what's happening is that at night volume drops and the dashboard shows "outage" but there really isn't an outage, volume is simply lower because it's night time.

Is there anyway I can add something to the query to factor in the time of day? Or should I be going about this a completely different way?

index=aries* sourcetype=aries-main RealtimeAccessLobby host=dtlprdart*  OR host="aglprdart*" md=10 ty=* 
| eval error=coalesce(ei, ec, stccode, aaacode, " Success") 
| eval er=case(et="HIPAA", ".Reject", error!=" Success", "Fail") 
| eval Status=coalesce(er, error) 
| eval cnt=1 
| table _time, Status, cnt
| append [search index=oracle | eval Status=".Reject" | eval cnt=0 | head 1 | table _time, Status, cnt] 
| timechart span=1m sum(cnt) by Status
| addtotals labelfield=Total
| eval TotalRate=(Total/100)
| fillnull TotalRate value=0
| eval Warning=case(TotalRate<10,"Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
| eval Status= case(TotalRate<10,"times-circle", TotalRate>10 AND TotalRate<27,"exclamation-triangle", TotalRate>27,"check-circle")
| eval color=case(TotalRate<10,"#FF0000", TotalRate>10 AND TotalRate<27,"#ffff00", TotalRate>27,"#65a637")
0 Karma
1 Solution

to4kawa
Ultra Champion
 ....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....

hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night if you have a problem.

View solution in original post

0 Karma

to4kawa
Ultra Champion
 ....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....

hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night if you have a problem.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You're looking for adaptive thresholding. See my previous answer on this

https://answers.splunk.com/answers/590464/how-you-detect-an-anomaly-from-a-time-frame-the-pr.html

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...