Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot step function to display state change of machines based on timestamp?

rakes568
Explorer
‎07-13-2017 05:05 AM

We have a list of machines in our system with their state change as On or Off along with timestamp.

 2017-07-11 12:39:01    M1    Up
 2017-07-11 12:25:39    M2    Down
 2017-07-11 10:58:27    M1    Down
 2017-07-11 10:44:32    M3    Down
 2017-07-11 10:27:33    M3    Up
 2017-07-11 09:47:52    M3    Down

I want to plot a step function of State change for all machines based on timestamp. I tried this query, but this just connects Up/Down states with slant lines, instead of creating a step function.

mysearch| eval State=if(state="Up",1,0) | chart max(State) as StateChange by _time,machine

I am using linechart for visualization. So can we create a step function visualization? Also is there a way to display StateChange as Up/Down instead of 1/0 in visualization?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 09:26 AM

I guess that you are going to have to figure out your own visualization answer but this search should get you the tabular data that you need:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S") 
| eval State=if(state="Up",1,0) 
| sort 0 _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart latest(State) AS StateChange BY _time machine
| filldown M*
| fillnull value="FixMeLater"
| untable _time machine StateChange
| eventstats first(State) AS firstState
| eval firstState=if((firstState=1), "0", "1")
| eval StateChange=if((StateChange="FixMeLater"), firstState, StateChange)
| xyseries _time machine StateChange
0 Karma
Reply

hegdep10
Loves-to-Learn
‎06-30-2020 08:50 AM

 @rakes568 I have the exact same requirement as you have mentioned in the very beginning of this post. I tried the last solution posted for this post but that's not what I'm looking for. In case you found a solution for this problem it will be great if you share the solution or the approach.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 06:55 AM

If you mean that you would like a "square wave", then you should just select column chart visualization and set the Y-axis value for min to 0 and max to 1. You can do something like this:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval State=if(state="Up",1,0) 
| timechart latest(State) AS StateChange BY machine 
| reverse 
| filldown M*
Reply

rakes568
Explorer
‎07-13-2017 08:51 AM

I need exact timestamp, that's why I used chart instead of timchart. How will column chart help? It displays a bunch of bars with value of 1, and doen't make any sense.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top