Splunk Search

How to create a dynamic table based on one search result?



I'm building a line graph with a field with "UsedSpaceGB" from the year 2009 until now so I can see the growth of data. That's working fine.

Now additionally, I want to build a second line. This second line should be the line of the forecast from 2009 until 2019 with a factor.
So the final graph will show the real growth and the growth estimated in 2009.

The factor is given. I can put them to a variable (eval command). The first Year is given by a search result.

Now my problem is how to create the search. I think I need to build a dynamic Table with a "loop":
Take the year 2009... add 1 Year ... do that 10 times... put it to a table... fill in the estimated time for each year based on the factor and the value from past year...

I have no idea how to do that.
Later, I want to make it more dynamic... changing the factor, changing beginning year and end year.
I want to do that with onboard tools.

Anybody out there with a hint for me?

Many thanks,

Tags (3)
0 Karma



I think trendline and timewrap are not what I need.
Also I don't want to use 3rd party.

What I did now (and solved a part of the problem):

Created some small txt-Files manually with my historical data (timestamp, and used storage).
So I'am able to get a table with the row (line from 2001 until 2014) and a second row with for each year.

With the EVAL (for converting) and DELTA command I created an new row to calculate my growth.
Also with some more EVAL and STATS I created a row to compare my growth with the market forecast (storage doubling all 2 years).

After that I placed a input field to the panel, so I can set a static value for forecast-year.
So I have all values I need to calculate the growth from 2014 to eg. 2018 or 2020, etc.

The table (and graph) goes now from year 2001 until 2014 and then the next and last row is year 2018.
So I have the right result now.

But it would be fine to see the years between 2014 and 2018 too.
I found no way to create them "dynamicly" (like a for loop).

I did't used TIMECHART, because my historical data _time has not the right stamp in SPLUNK.
I only worked with ... | CHART values(used) by mytime | ...

I created the txt files, because I startet SPLUNK in this environment after 2014.


0 Karma

Esteemed Legend

I am not sure I get what you are trying to do but I am pretty sure that you will be able to make good use of the timewrap app to do it:


0 Karma


Why you go for trendline

your search| stats count by source Time| trendline sma2(count) as trend


0 Karma
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...