- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Expand time range of data and use default value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Expand time range of data and use default value
I'm trying to output the reliability for a channel over a time period. My sample log file looks like this:
channels:2,4,5,7,9,11,20,26,44,201,202,203
1355558400,1355644800
338889600,338911200
1355609908,338902477,2
1355609912,338902478,2
1355611500,338902875,5
1355611568,338902892,5
1355612040,338903010,5
where channels:*, are the channels being monitored. 1355558400,1355644800 is the start and end time of time period being monitored. 1355611500,338902875,5 indicates that at 1355611500 there was an issue with channel 5. There is a possibility of 900 errors per hour (every 4 seconds the check happens)
I've been able to create the query to get reliability if there is an error, but the limitation is that it only counts from the first error to the last error but won't include the 100% reliability before and after as indicated by the time range on the first line. Eg between 1pm-5pm there are errors between 2-2:30pm and 4-4:30pm this query will only show the graph between 2-4:30pm but i want to include 1-5 since i know those ends are perfectly fine and thought i could do that if i could somehow "insert" a default value for timeperiod mentioned at start of file
Here's my current query:
source = *Data* _raw="*,*,5"
| dedup _raw
| timechart span=30m count
| eval reliability = (1 - count/450) * 100
| fields - count
| eval relHigh = reliability*100
| rangemap field=rel High red=0-9900 yellow=9901-9990 green=9991-10000
| xyseries _time range reliability
| makecontinuous _time
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That definitely helped with perf and did fix and error in the results with fillNull. This does give me results filled till now whereas before it was the time of the last error. The only improvements i now need are being able to read the first line to determine which channels are monitored in case one of them never has any failures. If that happens it won't return any result for reliability. The other improvement is to read the second line to know which range has valid values rather than always assuming now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source = *Data* "*,*,5"
| uniq
| timechart span=30m count
| fillnull
| eval reliability = (1 - count/450) * 100
| eval range=case(reliability<=99,"red",reliability<=99.9,"yellow",1=1,"green")
| xyseries _time range reliability
| makecontinuous _time
I optimized a few things and added the "fillnull" command to make sure that the count was actually zero for time periods with no errors. That may improve your results. I can't really test it... so let us know what does/doesn't work!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the fillnull helped. the uniq turned out to be worse performing than the dedup_raw unfortunately.
Is there anyway to parse the endtime of the file to be the endtime of the chart for a particular channel?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
