Re: How to search the correlation and chart temper...

SilviaGebel · ‎03-23-2015

Hi,

currently I am trying to figure out how to chart the temperature by failures.

The search I am creating is this:

...|eval temperature=abs(temperature)| chart avg(temperature) by failure

The only result I get in the statistics are the values of failures, but no values of temperature at all.
The fields are from different events and the events have different timestamps.

Is there a possibility to find a correlation between the temperature and the number of failures at that time?

Thank you for your help!

Silvia

woodcock · ‎08-10-2015

Your setup is very nasty in that you have combined these 2 datasets as one sourcetype and none of the events in either dataset has any kind of device identifier that can be used to correlate events between the datasets. I assume that the hot/faulty device is implied by either the host or the source. In any case, since you have left us no other alternative, we will have to correlate the events in the datsets by time like this:

... | bucket _time span=1m | stats values(*) AS * by _time | chart avg(temperature) by failure

This should work but it presumes that you have field extractions working to create the temperature and failure fields. If this doesn't work (the events are not joined by same values for date_minute, then switch the 1m to 10m or even 1h until you get the correlation working.

somesoni2 · ‎03-23-2015

We would need little more information to answer that. Would you be able to provide some sample logs?

SilviaGebel · ‎03-23-2015

these are the events with the fields temperature and failures

Temperature in C° (24; 23,9; 23,8; 23,7)

380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 06:04;23,5;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 06:03;23,4;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 06:02;23,5;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:52;23,4;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:50;23,3;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:50;23,4;\xE5\xA1C;268298
380462;._PLC.CVI.Z010 [\xE5\xA1C]: temperature;03.03.2015 05:49;23,3;\xE5\xA1C;268298

failures (values are the ascending count of failures that day)

362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 06:23;3;Fehler;1654
362290;._PLC.CVI.Z030 [Fehler]: failure;04.03.2015 06:08;1;Fehler;2871
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 05:56;2;Fehler;1654
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 05:53;1;Fehler;1654
362290;._PLC.CVI.Z030 [Fehler]: failure;04.03.2015 04:00;0;Fehler;2871
362290;._PLC.CVI.Z029 [Fehler]: failure;04.03.2015 04:00;0;Fehler;1654

somesoni2 · ‎03-23-2015

I believe these are two different sourcetypes/logfiles. Do we have any common ground/field/rule based on which these events can be correlated?

SilviaGebel · ‎03-24-2015

They have the same index, and the same sourcetype. The original files are two different csv-files.

How to search the correlation and chart temperature by failures?

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today