- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to add percentage markings to an area char...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add percentage markings to an area chart?
I have a search:
| timechart span=15m sum(bytes_sent) as TotalSent sum(bytes_received) as TotalReceived
which gives me a nice area chart, but what I would like to do is also have lines on the chart showing the 14 day 80% and 20% average to more easily identify when traffic is abnormal.
Can anyone think of how I could produce this?
Thanks.
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
Another possibility is to check out the Prelert Anomaly Detective App. It will automatically baseline any data that you would typically timechart (like your network throughput data in your example) and will highlight for you the moments in time in which the values of the data are "anomalies" - or statistical outliers compared to what's been observed in the past.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you can usually do to add a reference line of some sort is to add it via eval:
... | timechart ... | eval myreference=some_eval_statement
In your case you want to search different time periods for getting the values you already are charting and the reference value you want. You can solve it with a subsearch though:
... | timechart span=15m sum(bytes_sent) as TotalSent sum(bytes_received) as TotalReceived | eval [search earliest=-14d@d ... | stats avg(bytes_sent) as avgbytes_sent | format "" "" "" "" "" ""]
I don't know of a way to get more than one value per subsearch so if you want 2 percentiles for both bytes received and bytes sent that's a total of 4 searches using this method. This is obviously far from optimal but it's the only way I can think of.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz,
I see where you are going with this but can we get a bit more specific? I have tried a few combos of my orig search piping into your suggestion and get no results. If I do your suggested search
* | stats perc20(bytes_sent) as sent_p20 perc80(bytes_sent) as sent_p80 perc20(bytes_received) as rec_p20 perc80(bytes_received) as rec_p80 | eval percentiles=sent_p20.";".sent_p80.";".rec_p20.";".rec_p80 | return percentiles
piped from *,
I get percentiles="180;2800;182;7500"
& the regex seems to have no affect on the results.
Thanks...I think we are close. This is great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice! That's clever jonuwz 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ayn - this should make returning X percentiles less expensive :
make the subsearch something like :
eval [
search earliest=-14d@d ...
| stats perc20(bytes_sent) as sent_p20 perc80(bytes_sent) as sent_p80 perc20(bytes_received) as rec_p20 perc80(bytes_received) as rec_p80
| eval percentiles=sent_p20.";".sent_p80.";".rec_p20.";".rec_p80
| return percentiles ]
then you can do
| rex field=percentiles "(?<sent_p20>.*);(?<sent_p80>.*);(?<rec_p20>.*);(?<rec_p80>.*)"
| fields - percentiles`
to split out the values in the main search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. Make sure you use the format command I supplied at the end of the subsearch - without it things will go wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck means no results. I am actually fine doing two panels: one for sent, one for received. I suppose a subsearch of 80% would be the minimum too. Let me try just sent and just 80% and see what I get.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say "no luck", could you elaborate on what results you are getting? Like I said you can't get more than one value per subsearch using this technique. If there is more than one field at the end of the subsearch it will break for reasons that I could explain if you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried something like this but no luck:
| timechart span=15m sum(bytes_sent) as TotalSent sum(bytes_received) as TotalReceived | eval [search earliest=-14d@d latest=now * | stats sum(bytes_sent) as sumbytes_sent | eval eighty=.80*(sumbytes_sent/14) | eval twenty=.20*(sumbytes_sent/14)]
Any thoughts? Also it seems like my evals of eighty and twenty are dots, I would love to turn them into lines so we can see when traffic breaks out of those limits.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ayn,
Thanks for the response. Let me give it a try and report back...
Dave
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
