We have data in the summary index that counts information by various categories. For the purposes of presenting the problem we collect information in 15-minute buckets, and each event includes HostName, HostType, and count which is the number of occurrences of the HostName, HostType combination in that bucket. So a sample event would be
08:15:00 ... HostName="Alpha" HostType="foo" count=47 ...
HostNames can be any of a variety of Strings, and HostType can be either "foo" or "bar". I am trying to write a search that plots the percentage of "foo" in each bucket using a timechart. So far we have
index=summary | bucket span=15m _time | eval NumFoo=if(match(Node_Type,"foo"),count,0) | eval NumBar=if(match(Node_Type,"bar"),count,0) | eval PercentFoo=(NumFoo/(NumFoo+NumBar)) | timechart span=15m PercentFoo
As written, Splunk complains that "The specifier 'Offload' is invalid. It must be in form (). For example: max(size)." If I remove the timechart of the search above and instead pipe to
| chart max(NumFoo), max(NumBar), max(PercentFoo) by _time I can see values for NumFoo and NumBar so the variables seem to be populated. I don't think using
timechart max(PercentFoo) or any other operation on PercentFoo is appropriate - I have a value calculated I just need to display it. Any guidance on how to accomplish this is greatly appreciated.
Is your summary index created using one of the
si- commands (
sichart) or one of the conventional ones? (
stats, etc.)? It appears to be the latter, but can you confirm?
I believe you should be able to do:
index=summary | timechart span=15m sum(count) by Node_Type | eval PercentFoo=foo/(foo+bar)
though if your example is too much simplified from your actual use case, there will have to be some adjustments made to make this work.
It's a little strange to do the bucketing manually and then give it to timechart who'll want to bucket it again. But you could maybe replace the timechart with
stats first(PercentFoo) as PercentFoo first(PercentBar) as PercentBar by _time. Since the first bucket will have done the bucketing, timechart and it's second
span=15m clause isnt going to do anything anyway that the stats clause wouldnt do.
Or maybe you could not do the initial bucketing but leave the work to timechart. This is the way I would go:
index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType
a nice stacked area chart of that might be all you need, but you could also do this:
index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType | addtotals | eval=fooPercent=foo*100/Total | eval barPercent=bar*100/Total
Great approach Nick, leaves me with a new question. When I adopt your second search style, I can use the 'fields' command to get a table with 2 columns: _time and fooPercent. However when I do "Show Report" it no longer seems to understand this is a timechart of fooPercent over _time, presumably because this was not in the original timechart command early in the search string. Can you recommend a way to get the graph of fooPercent over _time that we desire?