Splunk Search
Highlighted

Timechart Command to calculate totals for 7 days

Builder

I have a search that I'm using to populate some charts in a dashboard. The search is checking a log and charting the top 20 users who have used the most disk space in their home directories. It works great for a 24 hour period...However I can't seem to get it to work for longer periods such as 7 days or more.

What I'd like to do is that if you choose 7 days, it would display the top 20 users who were using the most space after pretty much calculating space usage for 7 days per user. You'd be able to see the user's space usage over a 7 day period. This would allow you to see when a spike may have occurred that caused a disk issue.

The search I have right now is :

host="ynfs1" sourcetype=userdiskusage earliest=-1d@d latest=-0d@d | rex field=_raw "(?<Space>[\d]+)\s*\/home\/(?<UserName>\S+)" max_match=1000 | search NOT UserName="shares" | table UserName Space | sort -Space | head 20

This search is used to create an area chart on a dashboard. I have a time range picker to change the time from 24 hours to 7 days, but when I do the results are not what I would like. Nothing happens for the most part. Here's my dashboard code:

    <view template="dashboard.html">
  <label>YNFS1 Space Usage</label>
  <module name="AccountBar" layoutPanel="navigationHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>

  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

  <module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="searchWhenChanged">True</param>
    <param name="default">Last 24 hours</param>
      <module name="HiddenSavedSearch" layoutPanel="panel_row2_col1" group="Space Usage by user over a given time" autoRun="True">
        <param name="savedSearch">Andrew ynfs1 search</param>
        <module name="HiddenChartFormatter">
          <param name="charting.chart">area</param>
          <param name="chart.stackMode">stacked</param>
          <param name="secondaryAxisTitle.text">Space</param>
          <module name="JobProgressIndicator"></module>
            <module name="FlashChart">
              <param name="width">100%</param>
              <param name="height">400px</param>
            </module>
          </module>
          <module name="ViewRedirectorLink">
            <param name="viewTarget">flashtimeline</param>
            <param name="popup">True</param>      
          </module> 
      </module>
      <module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="Space Usage by user over a given time" autoRun="True">
        <param name="savedSearch">Andrew ynfs1 search</param>
        <module name="HiddenChartFormatter">
          <param name="charting.chart">pie</param>
          <module name="JobProgressIndicator">
            <module name="FlashChart">
              <param name="width">100%</param>
              <param name="height">400px</param>
             </module>
          </module>
          <module name="ViewRedirectorLink">
            <param name="viewTarget">flashtimeline</param>
            <param name="popup">True</param>      
          </module> 
        </module>
     </module>
     <module name="HiddenSavedSearch" layoutPanel="panel_row3_col2" group="Space Usage by user over a given time" autoRun="True">
       <param name="savedSearch">Andrew ynfs1 search</param>
       <module name="SimpleResultsTable"></module>
       <module name="ViewRedirectorLink">
         <param name="viewTarget">flashtimeline</param>
         <param name="popup">True</param>      
       </module> 
    </module>
  </module> 
</view>

I've been looking into timechart as I believe I have to use this command to make this happen. I also tried doing a timechart sum of Space by Username but the results didn't look right. Any ideas?

Tags (1)
0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

I think the first issue here is that you hardcoded the timerange into the search. try removing the earliest and latest. That should fix your timerange dropdown issue. Try the following search

host="ynfs1" sourcetype=userdiskusage | rex field=raw "(?[\d]+)\s*\/home\/(?\S+)" maxmatch=1000 | search NOT UserName="shares" | bucket _time span=1d | eval day=strftime(day,"%Y-%m-%d") | chart sum(Space) over day by UserName

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

You should be able to chart this. If you want to have a little more granularity into space usage, change the span to 1h or 1m or whatever you want.

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

it just says no results found and the charts are empty.

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

let me try running it manually

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

my bad run this:

host="ynfs1" sourcetype=userdiskusage | rex field=raw "(?[d]+)s*/home/(?S+)" maxmatch=1000 | search NOT UserName="shares" | bucket _time span=1d as day | eval day=strftime(day,"%Y-%m-%d") | chart sum(Space) over day by UserName

I forgot to add the "as day" after bucket _time span=1d It should work now.

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

still not working. what's the eval day=strftime

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

ah it looks like your rex field extraction is all lowercase. try this:

host="ynfs1" sourcetype=userdiskusage | rex field=raw "(?[d]+)s*/home/(?S+)" maxmatch=1000 | search NOT UserName="shares" | bucket _time span=1d as day | eval day=strftime(day,"%Y-%m-%d") | chart sum(space) over day by userame

strftime: This function takes an epochtime value, X, as the first argument and renders it as a string using the format specified by Y.

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

The search stops producing any results as soon as I do the chart command. I tried using timechart but didn't seem to get it right. Also the only results I have is a list of _time and that's it.

0 Karma
Highlighted

Re: Timechart Command to calculate totals for 7 days

Builder

also i left the hardcoded time range in the search just to see if the charts did work. my bad

0 Karma