Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to table/chart over a period of time

clintla
Contributor
‎11-26-2019 12:32 PM

trying to calculate groupings of VMs capacity growth over time but a chart or table looks to be the best answer if you need to report on 100 VMs.

In a simplified data set per below
Date ,Name,Capacit Used
5/1/2019, VM1,100
5/1/2019, VM2,100
5/1/2019, VM4,450
6/1/2019, VM1,100
6/1/2019, VM2,140
6/1/2019, VM4,450
7/1/2019, VM1,105
7/1/2019, VM2,200
8/1/2019, VM1,110
8/1/2019, VM2,200
9/1/2019, VM1,110
9/1/2019, VM2,200
10/1/2019,VM1,110
10/1/2019,VM2,200
10/1/2019,VM3,100
11/1/2019,VM1,110
11/1/2019,VM2,200
11/1/2019,VM3,200

How can you search it so that if you search for 7/1/2019 through 11/1/2019 that the result would be tabled as

VM1 5GB
VM2 0GB
VM3 200GB

So this almost needs to be like a delta except that its clobbered by VMs that are not in the beginning or ending of the time range.

If a VM is created in the time range then its starting capacity should be 0

0 Karma
Reply

clintla
Contributor
‎11-26-2019 12:50 PM

I've tried a lot of variations but I need to figure out how to take the beginning time of capacity_used and subtract the ending time of capacity_used

Stuff like stats.. just adds up some capacity.

I was doing earliest(capacity_used) minus latest(capacity_used) but that gets clobbered by VM's that were not present either at the beginning or end of the time range.. like VM3 in my example

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-26-2019 02:01 PM

if you have a period and want to measure the delta. try the streamstats.

    | bucket _time span=1d | stats max(capacity_used) AS daily_usage by _time Name| streamstats first(daily_usage) AS first_value last(daily_usage) As last_value by Name  window=2| eval delta=last_value - first_value
0 Karma
Reply

clintla
Contributor
‎11-27-2019 06:20 AM

I like the idea but still is clobbered by if a VM is not in the start or end of a selected time frame.

I was using earliest & latest which works great if a VM is present at the start and end of a selected time frame.

If a VM is added in the middle of a selected time frame & its 500GB then its earliest is 500GB. (should be 0) which makes the growth calculation inaccurate.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...