- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Performing calculations on multi values to show on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Performing calculations on multi values to show on timechart
Hi All, need some insight and help.
I have a MQ like objects, information regarding which is forwarded into splunk at every 5mins.
Now events looks something like this:
2017-05-10 09:00.000||queue_name=MQ1||count_rec=100
2017-05-10 09:05.000||queue_name=MQ1||count_rec=110
2017-05-10 09:10.000||queue_name=MQ1||count_rec=110
2017-05-10 09:15.000||queue_name=MQ1||count_rec=130
2017-05-10 09:00.000||queue_name=MQ2||count_rec=30
2017-05-10 09:05.000||queue_name=MQ2||count_rec=60
2017-05-10 09:10.000||queue_name=MQ2||count_rec=100
2017-05-10 09:15.000||queue_name=MQ2||count_rec=100
Events are in revese chron. Order and even the fields are getting extracted. Rec_count is the number of data published to the MQ, this is the only info i could get.
So difference between value in current with prev. Events would give the count of data came in in last 5mins.
Now i am trying to show on timechart the number of records coming to the MQ over a span.
Is it possible, what should be the approach for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, like this:
your search that gets _time, queue_name and count_rec
| timechart range(count_rec) AS increase_in_this_span BY queue_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this ...
your search that gets _time, queue_name and count_rec
| bin _time span=5m
| stats max(count_rec) as count_rec by queue_name _time
| streamstats current=f last(count_rec) as prev_count by queue_name
| eval new_recs = count_rec - prev_count
| timechart span=5m sum(new_recs) by queue_name
If the records all have _times that are exactly on the 5 min mark, then the bin is probably not needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as _time is correct (matches what is in the event), order doesn't matter; just do this:
Your Base Search Here | timechart avg(count_rec) BY queue_name
Or perhaps you need sum or max instead of avg and you might need a span= if you don't like what is automatically selected for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could try, buy each event is the record count, i would need difference between the event and prior record count, in order to get exact number of records for the particular event. Post which i might use first() and then plotbon timechart.
How to get the difference?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
