Splunk Search

Display calculated values in a timechart

beaumaris
Communicator

We have data in the summary index that counts information by various categories. For the purposes of presenting the problem we collect information in 15-minute buckets, and each event includes HostName, HostType, and count which is the number of occurrences of the HostName, HostType combination in that bucket. So a sample event would be

08:15:00 ... HostName="Alpha" HostType="foo" count=47 ...

HostNames can be any of a variety of Strings, and HostType can be either "foo" or "bar". I am trying to write a search that plots the percentage of "foo" in each bucket using a timechart. So far we have

index=summary 
| bucket span=15m _time 
| eval NumFoo=if(match(Node_Type,"foo"),count,0) 
| eval NumBar=if(match(Node_Type,"bar"),count,0) 
| eval PercentFoo=(NumFoo/(NumFoo+NumBar)) 
| timechart span=15m PercentFoo

As written, Splunk complains that "The specifier 'Offload' is invalid. It must be in form (). For example: max(size)." If I remove the timechart of the search above and instead pipe to | chart max(NumFoo), max(NumBar), max(PercentFoo) by _time I can see values for NumFoo and NumBar so the variables seem to be populated. I don't think using timechart max(PercentFoo) or any other operation on PercentFoo is appropriate - I have a value calculated I just need to display it. Any guidance on how to accomplish this is greatly appreciated.

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

It's a little strange to do the bucketing manually and then give it to timechart who'll want to bucket it again. But you could maybe replace the timechart with stats first(PercentFoo) as PercentFoo first(PercentBar) as PercentBar by _time. Since the first bucket will have done the bucketing, timechart and it's second span=15m clause isnt going to do anything anyway that the stats clause wouldnt do.

Or maybe you could not do the initial bucketing but leave the work to timechart. This is the way I would go:

index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType

a nice stacked area chart of that might be all you need, but you could also do this:

index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType | addtotals | eval=fooPercent=foo*100/Total | eval barPercent=bar*100/Total

View solution in original post

beaumaris
Communicator

The summary index is created using the conventional commands

0 Karma

sideview
SplunkTrust
SplunkTrust

It's a little strange to do the bucketing manually and then give it to timechart who'll want to bucket it again. But you could maybe replace the timechart with stats first(PercentFoo) as PercentFoo first(PercentBar) as PercentBar by _time. Since the first bucket will have done the bucketing, timechart and it's second span=15m clause isnt going to do anything anyway that the stats clause wouldnt do.

Or maybe you could not do the initial bucketing but leave the work to timechart. This is the way I would go:

index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType

a nice stacked area chart of that might be all you need, but you could also do this:

index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType | addtotals | eval=fooPercent=foo*100/Total | eval barPercent=bar*100/Total

beaumaris
Communicator

Great approach Nick, leaves me with a new question. When I adopt your second search style, I can use the 'fields' command to get a table with 2 columns: _time and fooPercent. However when I do "Show Report" it no longer seems to understand this is a timechart of fooPercent over _time, presumably because this was not in the original timechart command early in the search string. Can you recommend a way to get the graph of fooPercent over _time that we desire?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I believe you should be able to do:

index=summary | timechart span=15m sum(count) by Node_Type | eval PercentFoo=foo/(foo+bar)

though if your example is too much simplified from your actual use case, there will have to be some adjustments made to make this work.

gkanapathy
Splunk Employee
Splunk Employee

Is your summary index created using one of the si- commands (sistats, sitimechart, sichart) or one of the conventional ones? (stats, etc.)? It appears to be the latter, but can you confirm?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...