Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Line Graphs Dynamic Line

JohnDoyle
Engager
‎02-02-2011 02:43 PM

Finally getting used to Splunk and have it importing my data from a database.

Now I'm working on generating a line chart that plots out the recorded load to a database. We would like to look over a particular load and see how the load is across multiple days so we can identify unusual drops. This would include stuff like:

Row_Count=123 Error_Count=0 Average_Row_Count=120 Tolerance_Percentage=10

So I can plot out the Row, Average Row and Error fine.

But now I want to include the Tolerance Percentage which is the standard deviation from the average row count, i.e. a line at 108 and a line at 132.

| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT, list(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR) AS TOLERANCE_MIN BY LOAD_MNTR_RUN_ID, JOB_NAME

Gives out about using *

| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT BY LOAD_MNTR_RUN_ID, JOB_NAME | eval TOLERANCE_MIN=(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR)

Just doesnt report TOLERANCE_MIN.

Pretty sure I am missing something basic here..

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎02-02-2011 07:31 PM

You dont want to use stats list like this. This will give you one result row that has lots of multi-valued values. Although it sort of looks like what you want, it isnt.

I think this might be closer to what you're looking for: 

<your search>
| eval Row_Count_Lower = Row_Count - Tolerance_Percentage
| eval Row_Count_Upper = Row_Count + Tolerance_Percentage | 
| timechart avg(Row_Count_Lower) avg(Row_Count) avg(Row_Count_Upper) avg(Error_Count) span=1h

The output of that chart will get graphed as 4 lines, and the legend will show that one of the lines is the Row_Count minus the tolerance, one is the Row_Count itself, one is the Row_Count plus the tolerance.

If you're more interested in maxima and minima, just add in some max(Row_Count_Upper) etc as necessary.

Note: If you're trying to generate graphs your best bet is to always use the chart and timechart commands.

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...