Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Plot step function to display state change of machines based on timestamp?

rakes568
Explorer
‎07-13-2017 05:05 AM

We have a list of machines in our system with their state change as On or Off along with timestamp.

 2017-07-11 12:39:01    M1    Up
 2017-07-11 12:25:39    M2    Down
 2017-07-11 10:58:27    M1    Down
 2017-07-11 10:44:32    M3    Down
 2017-07-11 10:27:33    M3    Up
 2017-07-11 09:47:52    M3    Down

I want to plot a step function of State change for all machines based on timestamp. I tried this query, but this just connects Up/Down states with slant lines, instead of creating a step function.

mysearch| eval State=if(state="Up",1,0) | chart max(State) as StateChange by _time,machine

I am using linechart for visualization. So can we create a step function visualization? Also is there a way to display StateChange as Up/Down instead of 1/0 in visualization?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 09:26 AM

I guess that you are going to have to figure out your own visualization answer but this search should get you the tabular data that you need:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S") 
| eval State=if(state="Up",1,0) 
| sort 0 _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart latest(State) AS StateChange BY _time machine
| filldown M*
| fillnull value="FixMeLater"
| untable _time machine StateChange
| eventstats first(State) AS firstState
| eval firstState=if((firstState=1), "0", "1")
| eval StateChange=if((StateChange="FixMeLater"), firstState, StateChange)
| xyseries _time machine StateChange
0 Karma
Reply

hegdep10
Loves-to-Learn
‎06-30-2020 08:50 AM

 @rakes568 I have the exact same requirement as you have mentioned in the very beginning of this post. I tried the last solution posted for this post but that's not what I'm looking for. In case you found a solution for this problem it will be great if you share the solution or the approach.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 06:55 AM

If you mean that you would like a "square wave", then you should just select column chart visualization and set the Y-axis value for min to 0 and max to 1. You can do something like this:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval State=if(state="Up",1,0) 
| timechart latest(State) AS StateChange BY machine 
| reverse 
| filldown M*
0 Karma
Reply

rakes568
Explorer
‎07-13-2017 08:51 AM

I need exact timestamp, that's why I used chart instead of timchart. How will column chart help? It displays a bunch of bars with value of 1, and doen't make any sense.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...