Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timechart - How to plot the latest available data for each input over time?

asherman
Path Finder
‎08-18-2014 03:41 PM

Hello,

I am trying to represent the change in error for ~30,000 inputs over time. Not all inputs are updated routinely (e.g., some are updated multiple times a day, while others are updated every other day, etc.). I would like to plot over time the latest available data for each input (so not restricted to the time, rather from the beginning of time up until the edge of the current bin). I can think of it as charting the result of the dedup command overtime.

E.g.: input=rows, time=columns, >0.5 is a failure (excluded), '-' means no input that day

    d1    d2   d3    d4
I1: 0.7   -   0.3   0.4
I2: 0.3  0.6  0.4    -
I3: 0.5   -   0.2   0.6

Would produce a plot of values:

    d1 d2 d3 d4
I1: 0  0  1   1
I2: 1  0  1   0
I3: 1  1  1   0
sum:2  1  3   0

I have been trying to use the streamstats function, but haven't been successful:

index=test_index3 max_err="*" | bin _time span=1d | dedup name, path  
| streamstats sum(eval(max_err<0.05 AND max_err>-0.05)) as data, count as total by block
| eval percent=round(data/total*100,3)
| timechart max(percent) as data by block

The data is of the form "...name=some_name,path=some_path,block=some_block,max_err=0.043,...", etc.

Any help would be appreciated. Thanks.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2014 02:08 PM

Try this

index=test_index3 max_err="*" | bin _time span=1d | dedup name, path  
| eventstats count as total by block | where max_err<0.05 AND max_err>-0.05
| streamstats sum(max_err) as data by block
| eval percent=round(data/total*100,3)
| timechart max(percent) as data by block
0 Karma
Reply

asherman
Path Finder
‎08-18-2014 04:14 PM

I want a sum of all the errors that are +/- 5% from the beginning of time until a given point, subtracting duplicates (i.e., only consider the latest data).

So, the bins on the chart would be look something like {(-infty,-10), (-infty,-9), ..., (-infty, today)}, each plotting the total number of 'okay' entries, using the latest data for each unique entry up until the related day.

0 Karma
Reply

strive
Influencer
‎08-18-2014 04:08 PM

Per day you want to sum up everything OR for a given day plot the latest data for that day for an input?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...