Splunk Search
Highlighted

How do I sum values over time and show it as a graph that I can predict from?

Explorer

How do I sum values over time and show it as a graph that I can predict from?
This is something that I’ve tried to achieve on my own but with limited success. It seems that it should be straightforward too.
I have this type of data going back five years, e.g. 52 months, that I’ve concatenated into one file.

TimeStamp Type Size
4/1/2013:12:01:03 ORD 5
4/1/2013:12:04:11 INV 8
4/1/2013:12:05:21 ORD 5
4/1/2013:12:05:33 INV 34
4/1/2013:12:06:30 ORD 20
4/1/2013:12:06:54 INV 13
4/1/2013:12:07:00 ORD 7
4/1/2013:12:34:44 INV 1
4/1/2013:12:39:32 ORD 1
4/1/2013:12:44:28 ORD 5
4/1/2013:12:49:22 INV 4
4/1/2013:12:50:32 ORD 6
4/1/2013:12:55:30 INV 9
4/1/2013:12:59:29 ORD 12...etc

I want to produce a timechart for the sum of the ‘Size’ for each ‘Type’ over the amount of time I have data for. We only need it by month so I edit the ‘TimeStamp’, in advance, to be ‘M/1/201Y::12:00:00’.

I’d then like to use this histogram to ‘predict’ the next few months. If someone can provide the ‘code’ for doing just one ‘Type’, I’d be most grateful. I have almost 20 ‘Types’. I can manage the predicting part.

0 Karma
Highlighted

Re: How do I sum values over time and show it as a graph that I can predict from?

SplunkTrust
SplunkTrust

Maybe this will get you started. There should be no need to edit the timestamp.

<your base search> | timechart span=1mon sum(Size) as Total_Size by Type
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I sum values over time and show it as a graph that I can predict from?

Explorer

Thank you for that, Rich.

As it stands, that still doesn't return anything.

I've got: index=IX Type=ORD | timechart span=1mon sum(Size) as TotalSize
Nothing

Bear in mind that my created timestamp is, for example: 4/1/2013:12:01:03.
Relevant?

But the result of my search shows, for example, _time as 2017-08 and TotalSize as being empty.

0 Karma
Highlighted

Re: How do I sum values over time and show it as a graph that I can predict from?

SplunkTrust
SplunkTrust

It looks like Splunk is not parsing your timestamps correctly or is rejecting them because they're too old. What are your props.conf settings for that sourcetype? Is MAX_DAYS_OLD set to a value that will accept dates from 2013?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I sum values over time and show it as a graph that I can predict from?

Explorer

Rich,

Thank you for persevering.
Yes, I'm sure it's it's me, my data, and not Splunk; no surprise there.

I, too, have put it down to a timestamp problem and so I'll re-jig my data, re-load it, and start again.

As a parting shot, i can produce exactly what I want for events...but not for Size.

I think I'd better think it out again.

Thank you.

Richard aka RexStout.

View solution in original post

0 Karma