Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Performing calculations on multi values to show on timechart

nishantmishra21
Engager
‎07-24-2017 11:57 PM

Hi All, need some insight and help.

I have a MQ like objects, information regarding which is forwarded into splunk at every 5mins.

Now events looks something like this:

2017-05-10 09:00.000||queue_name=MQ1||count_rec=100
2017-05-10 09:05.000||queue_name=MQ1||count_rec=110
2017-05-10 09:10.000||queue_name=MQ1||count_rec=110
2017-05-10 09:15.000||queue_name=MQ1||count_rec=130
2017-05-10 09:00.000||queue_name=MQ2||count_rec=30
2017-05-10 09:05.000||queue_name=MQ2||count_rec=60
2017-05-10 09:10.000||queue_name=MQ2||count_rec=100
2017-05-10 09:15.000||queue_name=MQ2||count_rec=100

Events are in revese chron. Order and even the fields are getting extracted. Rec_count is the number of data published to the MQ, this is the only info i could get.
So difference between value in current with prev. Events would give the count of data came in in last 5mins.

Now i am trying to show on timechart the number of records coming to the MQ over a span.

Is it possible, what should be the approach for this?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2017 03:19 PM

OK, like this:

your search that gets _time, queue_name and count_rec
| timechart range(count_rec) AS increase_in_this_span BY queue_name
0 Karma
Reply

DalJeanis
Legend
‎07-25-2017 02:25 PM

Try this ...

your search that gets _time, queue_name and count_rec
| bin _time span=5m
| stats max(count_rec) as count_rec by queue_name _time 
| streamstats current=f last(count_rec) as prev_count by queue_name
| eval new_recs = count_rec - prev_count
| timechart span=5m sum(new_recs) by queue_name

If the records all have _times that are exactly on the 5 min mark, then the bin is probably not needed.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2017 08:33 AM

As long as _time is correct (matches what is in the event), order doesn't matter; just do this:

Your Base Search Here | timechart avg(count_rec) BY queue_name

Or perhaps you need sum or max instead of avg and you might need a span= if you don't like what is automatically selected for you.

0 Karma
Reply

nishantmishra21
Engager
‎07-25-2017 08:48 AM

Could try, buy each event is the record count, i would need difference between the event and prior record count, in order to get exact number of records for the particular event. Post which i might use first() and then plotbon timechart.

How to get the difference?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...