Splunk Search

Charting non indexed values


I have a feed going into Splunk currently that follows a trend that looks like it starts at a very small number, then increases during the day until the middle of the day then back down to a small number. What i am wanting to do, is build a search that will look at this day 7 days ago, for every hour add 10% and minus 10% so that i have a threshold that i can chart on my chart for today.

Basically, i want: today's chart, a minimum and a maximum all in the one chart. With the max and min being 10% difference of the time 7 days ago. This is used to say that if the logs of today are more than last week, then it will show me as it will go over the 10% threshold of 7 days ago.

What functions does Splunk have to do this?

0 Karma

Ultra Champion

You need to search for the events that you want to chart, and then alter the timerange so that they can be charted together, that can be done in the old way with manually setting a 'marker' and then adding to the _time field (first example) or you can use the timewrap command, which can be found here as an app: http://apps.splunk.com/app/1645/

For these sample queries data from the _internal index have been used, so you can cut-n-paste these code samples directly to play around with them, as the _internal index is present on all splunk installations. Just make sure that you have the proper access rights.

| multisearch 
  [ search index=_internal sourcetype=splunkd earliest=-7d@d latest=-7d group=per_index_thruput series="_internal"  
   | eval marker="last_week"  ]     
  [ search index=_internal sourcetype=splunkd earliest=@d group=per_index_thruput series="_internal"  
  | eval marker="today" ] 
| eval _time = if(marker=="today", _time, _time + (7 * 86400)) 
| timechart span=1h avg(eps) by marker 
| where isnotnull(today) OR isnotnull(last_week) 
| eval last_week = round(last_week,2) 
| eval today = round(today,2)
| eval last_week_high = last_week * 1.10 
| eval last_week_low = last_week * 0.900 
| fields - last_week

Or using the timewrap command;

| multisearch 
  [search index=_internal sourcetype=splunkd series="_internal" earliest =-7d@d latest=-7d group=per_index_thruput] 
  [search index=_internal sourcetype=splunkd series="_internal" earliest=@d group=per_index_thruput] 
| timechart span=1h avg(eps) as avg_eps 
| timewrap d 
| where isnotnull(avg_eps_latest_day) OR isnotnull(avg_eps_7days_before) 
| eval avg_eps_today = round(avg_eps_latest_day,2) 
| eval low_last_week = round((avg_eps_7days_before * 0.900),2) 
| eval high_last_week = round((avg_eps_7days_before * 1.100),2) 
| fields + _time, avg_eps_today, low_last_week, high_last_week


You could also with a simpler search where you get all events from the last week and filter out the results after the timewrap command;

index=_internal sourcetype=splunkd earliest=-7d@d group=per_index_thruput series="_internal" 
| timechart span=1h avg(eps) as avg_eps
| timewrap d
| the rest of your commands for filtering out / manipulating fields

Hope this helps,


0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...