Splunk Search

How to create transition report for a field from a 5 minute sampled input over long periods of time?

Contributor

I have a script that I wrote which goes out and samples data from a few thousand servers every 5 minutes and returns a number of fields. I'm trying to get a report to tell me how often a specific field transitions per server over the source of 2-3 days.

in his case the field is state and the values could be free, job-busy, job-exclusive, offline, down, and a few others.

Ideally I want to count the changes and not the totals, since its sampled ever 5 minutes, totals aren't altogether helpful but knowing there were 6 changes from any one state to any other is. Knowing the duration between each transition is also very valuable. Transaction seems like a very solid fit but I just can't seem to get it to function correctly. It seems to catch one set of host fields and the one immediately following it. I just can't seem to get correlate, contingency, or associate to work either since this is scheduled sampled data and not naturally occurring event data that has a more organic timescale and contingency is just giving me counts, of what would otherwise be the exact format I'm looking for.

0 Karma

Splunk Employee
Splunk Employee

try this:

sourcetype=mydata
| streamstats global=f current=t window=2
    distinct_count(myfield) as myfield_values
  by host
| where myfield_values > 1
| stats count by host

That will give you the number of transitions. If you also want the times, it's a little more complicated:

sourcetype=mydata
| streamstats global=f current=t window=2
    distinct_count(myfield) as myfield_values
    latest(_time) as transition_time
  by host
| where myfield_values > 1
| streamstats global=f current=t window=2
    range(transition_time) as time_since_previous_transition
  by host

This will list out each transition along with the time. I guess I'm not really sure how to summarize up the total number while still listing out each transition time, but maybe you add a ... | stats count, avg(time_since_previous_transition) by host and that's close to what you want?

0 Karma