Splunk Search

How to use timechart average of a field from a simple Hostmon URL Check log file to create visualizations?

jward6004
Explorer

I have recently started indexing a private log generated from a Hostmon URL check. The Hostmon check runs during M-F business hours and returns the following basic log information :

[9/8/2016 10:48:55 AM]      sitename.com    Host is alive   18 ms   URL request 27061

I've added the extracted fields for 'site', 'state' 'response_time', 'test_type' 'bytes' but now I want to build reporting around the data and am not very experienced using charting searches with Splunk. The 'state' field will return data that is simplistic as 'Host is alive', 'Host is down', or 'Out of schedule'.

Can someone help me understand how to pipe in a timechart avg of the 'state' field values so I can add it to a scheduled report for how often my site was available?

Example of a search that I was trying is:

index=main host=* sourcetype=Hostmon site=* state=* | timechart span=1d avg(state) as Site_Availability
0 Karma

sundareshr
Legend

Try this

index=main host=* sourcetype=Hostmon site=* state=* | bin span=1h _time | stats count by _time state | timechart span=1d avg(count) as Site_Availability by state

jward6004
Explorer

For testing purposes I added a 'host is down' entry in the log but my pie chart is showing three data groups on the virtualization :

Host is alive, Host is alive, and other

I'm looking for the chart to show basically 99% host is alive and for that one entry that is Host is down shouldn't it show a sliver for that 1%?

0 Karma

sundareshr
Legend

You will not be able to do a timechart and display on a piechart. For a piechart, you can do this

index=main host=* sourcetype=Hostmon site=* state=* | stats count by state

jward6004
Explorer

Awesome! thanks guys. One last virtualization question, can you help me with the creating a bar graph for showing the hourly/weekly /monthly and yearly performance.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @jward6004 - If your original question has been answered, don't forget to resolve the original post by clicking "Accept" below the answer. Also, be sure to upvote any comments by @sundareshr and @dbcase that you found helpful.

0 Karma

dbcase
Motivator

That goes back to sundareshr's earlier answer

try this

 index=main host=* sourcetype=Hostmon site=* state=* | bin span=1h _time | stats count by _time state | timechart span=1d avg(count) as Site_Availability by state

change the span=1h to span=1w for 1week or span=1m for 1month or span=1y for 1year

dbcase
Motivator

sorry that should be the timechart span

0 Karma

jward6004
Explorer

Thank you dbcase! I'm trying to get a total number of tests or sum.. and then divide total tests by total success (host is alive) and total failures (host is down) using EVAL.

This the current query I'm using for the past week of test data

index=main host=* sourcetype=Hostmon site=* state=* | stats count by _time state | timechart span=1w count as Site_Availability by state

This bar graph is showing total tests of either 'host is alive' or 'host is down' for the past week but I'm trying to display a more granular output of the data.

0 Karma

dbcase
Motivator

I don't quite understand is there anyway you could send a result (mock up) of what you are looking for?

0 Karma

jward6004
Explorer

Here's a screengrab for my panels now.

https://www.dropbox.com/s/p3d5sbc0rcvjaq3/plscreengrab.JPG?dl=0

It's showing the number of times that the event showed 'host is alive' and 'host is down' but I don't really care to display the number of tests in my graph. I'd like to create two new fields using EVAL for the expected values of the field 'state' then use the graph to report on those new fields

0 Karma

jward6004
Explorer

maybe displayed as percentage for each of those fields over the timechart span= 1w

0 Karma

dbcase
Motivator

Still not quite understanding but.....

I think you would need eventstats to get your totals

https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Eventstats

http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/

or possibly accum...

https://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Accum

sorry for the vagueness, I'm still not getting quite what you are looking for.

0 Karma

dbcase
Motivator

if you still need to express the average of the count try this

 index=main host=* sourcetype=Hostmon site=* state=* | stats count by state|stats avg(count) as Average by state
0 Karma

dbcase
Motivator

You wouldn't use timechart with a pie chart representation. Time charts are suited for line charts and the like.

0 Karma

dbcase
Motivator

try this

index=main host=* sourcetype=Hostmon site=* state=* | stats count values(state) by _time|timechart span=1d avg(state) as Site_Availability
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...