I have a search:
| timechart span=15m sum(bytes_sent) as TotalSent sum(bytes_received) as TotalReceived
which gives me a nice area chart, but what I would like to do is also have lines on the chart showing the 14 day 80% and 20% average to more easily identify when traffic is abnormal.
Can anyone think of how I could produce this?
Another possibility is to check out the Prelert Anomaly Detective App. It will automatically baseline any data that you would typically timechart (like your network throughput data in your example) and will highlight for you the moments in time in which the values of the data are "anomalies" - or statistical outliers compared to what's been observed in the past.
What you can usually do to add a reference line of some sort is to add it via
... | timechart ... | eval myreference=some_eval_statement
In your case you want to search different time periods for getting the values you already are charting and the reference value you want. You can solve it with a subsearch though:
... | timechart span=15m sum(bytes_sent) as TotalSent sum(bytes_received) as TotalReceived | eval [search earliest=-14d@d ... | stats avg(bytes_sent) as avgbytes_sent | format "" "" "" "" "" ""]
I don't know of a way to get more than one value per subsearch so if you want 2 percentiles for both bytes received and bytes sent that's a total of 4 searches using this method. This is obviously far from optimal but it's the only way I can think of.
I see where you are going with this but can we get a bit more specific? I have tried a few combos of my orig search piping into your suggestion and get no results. If I do your suggested search
* | stats perc20(bytes_sent) as sent_p20 perc80(bytes_sent) as sent_p80 perc20(bytes_received) as rec_p20 perc80(bytes_received) as rec_p80 | eval percentiles=sent_p20.";".sent_p80.";".rec_p20.";".rec_p80 | return percentiles
piped from *,
I get percentiles="180;2800;182;7500"
& the regex seems to have no affect on the results.
Thanks...I think we are close. This is great!
@Ayn - this should make returning X percentiles less expensive :
make the subsearch something like :
eval [ search earliest=-14d@d ... | stats perc20(bytes_sent) as sent_p20 perc80(bytes_sent) as sent_p80 perc20(bytes_received) as rec_p20 perc80(bytes_received) as rec_p80 | eval percentiles=sent_p20.";".sent_p80.";".rec_p20.";".rec_p80 | return percentiles ]
then you can do
| rex field=percentiles "(?<sent_p20>.*);(?<sent_p80>.*);(?<rec_p20>.*);(?<rec_p80>.*)" | fields - percentiles`
to split out the values in the main search
No luck means no results. I am actually fine doing two panels: one for sent, one for received. I suppose a subsearch of 80% would be the minimum too. Let me try just sent and just 80% and see what I get.
When you say "no luck", could you elaborate on what results you are getting? Like I said you can't get more than one value per subsearch using this technique. If there is more than one field at the end of the subsearch it will break for reasons that I could explain if you want.
I tried something like this but no luck:
| timechart span=15m sum(bytes_sent) as TotalSent sum(bytes_received) as TotalReceived | eval [search earliest=-14d@d latest=now * | stats sum(bytes_sent) as sumbytes_sent | eval eighty=.80*(sumbytes_sent/14) | eval twenty=.20*(sumbytes_sent/14)]
Any thoughts? Also it seems like my evals of eighty and twenty are dots, I would love to turn them into lines so we can see when traffic breaks out of those limits.