Splunk Search

Binary/square Time chart

tbrown
Path Finder

I have a field that contains either 0 or 1 according to the state of a process. What command could I use to make a timechart or line graph over time that shows the binary state of the process?

Basically, if the process goes to 1, I want the line to stay at 1, and then as soon as it goes to 0, it instantly changes to 0 and stays at 0, and continue that behavior.

 

Labels (4)
Tags (2)
0 Karma
1 Solution

tbrown
Path Finder

tbrown_0-1596137117821.png

 

.......
| rex field=_raw "to\s'(?<site_status>\w)" 
| stats count by _time,site_status
| bin span=2m _time
| makecontinuous _time
| filldown site_status
| fields - count

 

View solution in original post

niketn
Legend

@tbrown  following could be an option. I changed 0 to 0.01 so that it plots a bar for 0 value which otherwise will not be possible. Also adjusted Y axis min and max labels to push 0 data point to negative to show this.

Screen Shot 2020-07-30 at 1.48.30 PM.png

 

Following is the Run anywhere Simple XML Example using Splunk's _internal index (for the attached screenshot above). 

<dashboard>
  <label>Chart Transition 0 to 1</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| timechart dc(eval(log_level=="ERROR")) as ERROR
| fillnull value=0.01
| eval ERROR=case(ERROR=0,0.01,true(),ERROR)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisLabelsY.majorUnit">1</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.maximumNumber">1</option>
        <option name="charting.axisY.minimumNumber">-0.02</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">none</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

 See if this option works for you!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tbrown
Path Finder

@niketn 

The format is working, but it isn't holding the '1' values as I want.

tbrown_0-1596119707000.png

As can be seen, it's only going to 1 when an event is received, but not holding that 1.

My query differs slightly, maybe I messed up something in there. I'm using a field called "site_status" that is either '0' or '1' depending on the status of the site. This is how I made the query, based on your advice.

<...> | rex field=_raw "to\s'(?<site_status>\w)" 
| timechart dc(site_status) as ONLINE 
| fillnull value=0.01 
| eval ONLINE=case(ONLINE=0,0.01,true(),ONLINE)

The xml options I used are the same as yours.

niketn
Legend

@tbrown remove the pipe with

| fillnull value=0.01 

and replace with

 | filldown

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tbrown
Path Finder

tbrown_0-1596137117821.png

 

.......
| rex field=_raw "to\s'(?<site_status>\w)" 
| stats count by _time,site_status
| bin span=2m _time
| makecontinuous _time
| filldown site_status
| fields - count

 

niketn
Legend

@tbrown if you found my answers and comments useful do up vote them!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

please try 

| timechart values(state) by processes 

r. Ismo 

0 Karma

tbrown
Path Finder

Hi, 

That didn't seem to work. Additionally, I'm already querying it down to one process, so it doesn't need to sort by process in the | timechart command

tbrown_0-1596041677671.png

This is what it looks like. I need it to be a binary graph.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Please change visualization to bar chart.
r. Ismo

0 Karma

tbrown
Path Finder

That still isn't working for me. I want a line graph that looks like this 

tbrown_0-1596047895604.png

 

Not like this, with the gaps in between

tbrown_2-1596048019812.png

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

unfortunately I don't know this kind of on/off - binary visualisation. Maybe @MuS or @niketn knows?

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...