Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot step function to display state change of machines based on timestamp?

rakes568
Explorer
‎07-13-2017 05:05 AM

We have a list of machines in our system with their state change as On or Off along with timestamp.

 2017-07-11 12:39:01    M1    Up
 2017-07-11 12:25:39    M2    Down
 2017-07-11 10:58:27    M1    Down
 2017-07-11 10:44:32    M3    Down
 2017-07-11 10:27:33    M3    Up
 2017-07-11 09:47:52    M3    Down

I want to plot a step function of State change for all machines based on timestamp. I tried this query, but this just connects Up/Down states with slant lines, instead of creating a step function.

mysearch| eval State=if(state="Up",1,0) | chart max(State) as StateChange by _time,machine

I am using linechart for visualization. So can we create a step function visualization? Also is there a way to display StateChange as Up/Down instead of 1/0 in visualization?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 09:26 AM

I guess that you are going to have to figure out your own visualization answer but this search should get you the tabular data that you need:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S") 
| eval State=if(state="Up",1,0) 
| sort 0 _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart latest(State) AS StateChange BY _time machine
| filldown M*
| fillnull value="FixMeLater"
| untable _time machine StateChange
| eventstats first(State) AS firstState
| eval firstState=if((firstState=1), "0", "1")
| eval StateChange=if((StateChange="FixMeLater"), firstState, StateChange)
| xyseries _time machine StateChange
0 Karma
Reply

hegdep10
Loves-to-Learn
‎06-30-2020 08:50 AM

 @rakes568 I have the exact same requirement as you have mentioned in the very beginning of this post. I tried the last solution posted for this post but that's not what I'm looking for. In case you found a solution for this problem it will be great if you share the solution or the approach.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 06:55 AM

If you mean that you would like a "square wave", then you should just select column chart visualization and set the Y-axis value for min to 0 and max to 1. You can do something like this:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval State=if(state="Up",1,0) 
| timechart latest(State) AS StateChange BY machine 
| reverse 
| filldown M*
Reply

rakes568
Explorer
‎07-13-2017 08:51 AM

I need exact timestamp, that's why I used chart instead of timchart. How will column chart help? It displays a bunch of bars with value of 1, and doen't make any sense.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...