Getting Data In

Visualization that takes into account time of day

myoung54
Explorer

Hey all,

So I'm kind of scratching my head on this, and any kind of guidance would be extremely helpful!
Alright, so I have a dashboard with a stoplight visualization that looks at volume of a particular thing. Volume high=Good, Volume low=Outage, and anything in-between = Degraded. I have it working perfectly fine now, but my company is 24/7 and volume is not at the same levels at night as it is during the day, so what's happening is that at night volume drops and the dashboard shows "outage" but there really isn't an outage, volume is simply lower because it's night time.

Is there anyway I can add something to the query to factor in the time of day? Or should I be going about this a completely different way?

index=aries* sourcetype=aries-main RealtimeAccessLobby host=dtlprdart*  OR host="aglprdart*" md=10 ty=* 
| eval error=coalesce(ei, ec, stccode, aaacode, " Success") 
| eval er=case(et="HIPAA", ".Reject", error!=" Success", "Fail") 
| eval Status=coalesce(er, error) 
| eval cnt=1 
| table _time, Status, cnt
| append [search index=oracle | eval Status=".Reject" | eval cnt=0 | head 1 | table _time, Status, cnt] 
| timechart span=1m sum(cnt) by Status
| addtotals labelfield=Total
| eval TotalRate=(Total/100)
| fillnull TotalRate value=0
| eval Warning=case(TotalRate<10,"Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
| eval Status= case(TotalRate<10,"times-circle", TotalRate>10 AND TotalRate<27,"exclamation-triangle", TotalRate>27,"check-circle")
| eval color=case(TotalRate<10,"#FF0000", TotalRate>10 AND TotalRate<27,"#ffff00", TotalRate>27,"#65a637")
0 Karma
1 Solution

to4kawa
Ultra Champion
 ....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....

hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night if you have a problem.

View solution in original post

0 Karma

to4kawa
Ultra Champion
 ....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....

hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night if you have a problem.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You're looking for adaptive thresholding. See my previous answer on this

https://answers.splunk.com/answers/590464/how-you-detect-an-anomaly-from-a-time-frame-the-pr.html

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...