Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Plot step function to display state change of machines based on timestamp?

rakes568
Explorer
‎07-13-2017 05:05 AM

We have a list of machines in our system with their state change as On or Off along with timestamp.

 2017-07-11 12:39:01    M1    Up
 2017-07-11 12:25:39    M2    Down
 2017-07-11 10:58:27    M1    Down
 2017-07-11 10:44:32    M3    Down
 2017-07-11 10:27:33    M3    Up
 2017-07-11 09:47:52    M3    Down

I want to plot a step function of State change for all machines based on timestamp. I tried this query, but this just connects Up/Down states with slant lines, instead of creating a step function.

mysearch| eval State=if(state="Up",1,0) | chart max(State) as StateChange by _time,machine

I am using linechart for visualization. So can we create a step function visualization? Also is there a way to display StateChange as Up/Down instead of 1/0 in visualization?

0 Karma
Reply
Highlighted

Re: Plot step function to display state change of machines based on timestamp?

woodcock
Esteemed Legend
‎07-13-2017 06:55 AM

If you mean that you would like a "square wave", then you should just select column chart visualization and set the Y-axis value for min to 0 and max to 1. You can do something like this:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval State=if(state="Up",1,0) 
| timechart latest(State) AS StateChange BY machine 
| reverse 
| filldown M*
0 Karma
Reply
Highlighted

Re: Plot step function to display state change of machines based on timestamp?

rakes568
Explorer
‎07-13-2017 08:51 AM

I need exact timestamp, that's why I used chart instead of timchart. How will column chart help? It displays a bunch of bars with value of 1, and doen't make any sense.

0 Karma
Reply
Highlighted

Re: Plot step function to display state change of machines based on timestamp?

woodcock
Esteemed Legend
‎07-13-2017 09:26 AM

I guess that you are going to have to figure out your own visualization answer but this search should get you the tabular data that you need:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S") 
| eval State=if(state="Up",1,0) 
| sort 0 _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart latest(State) AS StateChange BY _time machine
| filldown M*
| fillnull value="FixMeLater"
| untable _time machine StateChange
| eventstats first(State) AS firstState
| eval firstState=if((firstState=1), "0", "1")
| eval StateChange=if((StateChange="FixMeLater"), firstState, StateChange)
| xyseries _time machine StateChange
0 Karma
Reply
Highlighted

Re: Plot step function to display state change of machines based on timestamp?

hegdep10
Observer
yesterday

 @rakes568 I have the exact same requirement as you have mentioned in the very beginning of this post. I tried the last solution posted for this post but that's not what I'm looking for. In case you found a solution for this problem it will be great if you share the solution or the approach.

0 Karma
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.