Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search the correlation and chart temper...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search the correlation and chart temperature by failures?
SilviaGebel
Path Finder
03-23-2015
09:23 AM
Hi,
currently I am trying to figure out how to chart the temperature by failures.
The search I am creating is this:
...|eval temperature=abs(temperature)| chart avg(temperature) by failure
The only result I get in the statistics are the values of failures, but no values of temperature at all.
The fields are from different events and the events have different timestamps.
Is there a possibility to find a correlation between the temperature and the number of failures at that time?
Thank you for your help!
Silvia
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
08-10-2015
09:24 AM
Your setup is very nasty in that you have combined these 2 datasets as one sourcetype and none of the events in either dataset has any kind of device identifier that can be used to correlate events between the datasets. I assume that the hot/faulty device is implied by either the host or the source. In any case, since you have left us no other alternative, we will have to correlate the events in the datsets by time like this:
... | bucket _time span=1m | stats values(*) AS * by _time | chart avg(temperature) by failure
This should work but it presumes that you have field extractions working to create the temperature and failure fields. If this doesn't work (the events are not joined by same values for date_minute, then switch the 1m to 10m or even 1h until you get the correlation working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-23-2015
09:28 AM
We would need little more information to answer that. Would you be able to provide some sample logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SilviaGebel
Path Finder
03-23-2015
09:46 AM
these are the events with the fields temperature and failures
Temperature in C° (24; 23,9; 23,8; 23,7)
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 06:04;23,5;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 06:03;23,4;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 06:02;23,5;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:52;23,4;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:50;23,3;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:50;23,4;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:49;23,3;\xE5\xA1C;268298
failures (values are the ascending count of failures that day)
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 06:23;3;Fehler;1654
362290;._PLC.CVI.Z030 [Fehler]: failure;04.03.2015 06:08;1;Fehler;2871
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 05:56;2;Fehler;1654
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 05:53;1;Fehler;1654
362290;._PLC.CVI.Z030 [Fehler]: failure;04.03.2015 04:00;0;Fehler;2871
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 04:00;0;Fehler;1654
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-23-2015
12:55 PM
I believe these are two different sourcetypes/logfiles. Do we have any common ground/field/rule based on which these events can be correlated?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SilviaGebel
Path Finder
03-24-2015
12:32 AM
They have the same index, and the same sourcetype. The original files are two different csv-files.
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
