Quick TimeChart Question

colinmchugo · ‎07-13-2017

| timechart count | timechart per_day(count) span=24h

Can someone breakdown this for me as i am trying to figure out if i want to display events or statistics. As correct me if i am wrong Statistic tab show unique values so it effectively is deduping ? There just seems like drastically different figures and i want to be sure which is correct.

So if i want to logins and the events are 943 but the tats are showing me 25 but the visualization single value is showing me 14 -28 over the last 24 hours using span=1h count by Created_at

Which is correct? I want to be able to show unique events over 24 hours and what it compares with for the last 24 hours excluding weekends. As i want to know if we are receiving data or not and know when a log goes down. thanks again

DalJeanis · ‎07-13-2017

ROFL. You're just trying too hard. You've told it three times what you only had to say once.

Okay, your first timechart command is counting up all the events by a certain chunk of time. You're letting splunk decide how big a chunk. Let's assume splunk decides to do it by hour. Then, your second timechart is taking the output of that, and chunking those up to day level. My guess is that you have 25 days of data you are looking at, and each one of them would have 24 hours, or 266 5-minute chunks, or whatever, and then it's calculating the per-day average value, which will be the same as the 24 hour value so it's not doing anything REALLY confusing. You could change that to per_minute and see what happens. Heh.

Try this...

| timechart span=1d count as daycount

or this

| timechart span=1h count as hourcount

colinmchugo · ‎07-14-2017

Thanks So much Dal, i think i am very eager to solve this 🙂 Ok ive tried that and it looks like it working but i want to be sure. So first clarification is that when you get events this is effectively non dedup'd data. Then the stats and subsequent visualization is the real unique data set? As this is confusing when you see 1000+ events but the stats stat 26 or something.

Then your above answer id like to understand. So i want to compare the last 24 hours with the current 24 hours or basically show that e.g. when someone logins event is 25 yesterday and today as its early morning its only 5 that there is a 20 event deviation so the trend would have a -20 and arrow pointing down showing me that in the last 24 hours there were 20 more events. I want this and the trend line showing last couple of days so i can see for example if the logs stopped for some reason there would be a flatline rather than a daily spike. I am not sure if the above formula does all that?

So your formula states to look at 1 day and count by day or 1 hour span and count per hour. If this is so do you do the search over 7days or 30 days then this formula so it can show what i need or ? thanks a billion.

C.

colinmchugo · ‎07-14-2017

Hi lads, got it working with this

My only thing i would love besides this would see the trendline over 7 days so can see if the logs are not coming in etc. Any ideas and is there any more efficient way of doing the above? thanks

colinmchugo · ‎07-14-2017

Think i have it, is it timechart span=24h count as daycount ?

colinmchugo · ‎07-14-2017

Some searches of these logs are 1h, most are 24 hours and some 3d & 7D. I want to show the trends of these logs with the trendlines and then the deviation from today compared to yesterday thats all. thanks

colinmchugo · ‎07-14-2017

The only formula that gives the accurate number is stats count so i am perplexed to why the timespan command wont give the correct answer along with the above mentioned, thanks really appreciate this. I am not going to let this break me 🙂

Quick TimeChart Question

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms