Timechart minimum values

dbcase · ‎02-15-2018

Hi,

I have this data this is retrieved once per hour (more or less on the hour) for the past 7 days.

readyArmed,32335,2018-02-15 12:01:38.646138 -5:00
armed,4743,2018-02-15 12:01:38.646138 -5:00

The first field is the armed state and the second field is the number of customers in that state at that time, the third field is the timestamp.

I've created a simple timechart graph showing the pattern and it looks like this. What I'd like to do is create a similar timechart graph that shows the minimum, maximum and averages of the same data over time.

alt text

cmerriman · ‎02-15-2018

index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum|eventstats max(sum) as max min(sum) as min avg(sum) as avg

based on previous comments, is something like this what you're needing?

dbcase · ‎02-15-2018

Hi cmerriman,

Interesting idea doing the post processing with eventstats. I gave it a shot and here is what happened

Time period X

Sum Value=37604 (this is good)
Avg Value=41271 (looks good)
Max Value=60718 (looks good)
Min Value=25947 (looks good)

Here is where the trouble shows up

Time period Y

Sum Value=37418 (this is good)
Avg Value=41271 (identical to time period X - possible but very unlikely)
Max Value=60718 (identical to time period X - possible but very unlikely)
Min Value=25947 (identical to time period X - possible but very unlikely)

Time period Z

Sum Value=36751 (this is good)
Avg Value=41271 (identical to time period X & Y - possible but extremely unlikely)
Max Value=60718 (identical to time period X & Y - possible but extremely unlikely)
Min Value=25947 (identical to time period X & Y - possible but extremely unlikely)

cmerriman · ‎02-15-2018

can you give a sample output of what the data should look like? I thought you meant the overall max/min/avg of sum when you stated you needed to represent the avg of the sum, min of the sum, and max of the sum. i suppose you could use streamstats instead of eventstats, and that would be a moving min/max/avg.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

micahkemp · ‎02-15-2018

If you just want the min/max/avg over the same period that your sum is over, this should work:

earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum, avg(field2) AS avg, min(field2) AS min, max(field2) AS max

dbcase · ‎02-15-2018

Hi Michahkemp,

Thanks! its close but not quite and I wasn't clear so lemme try again.

I would like the sum of field 2 min, max and avg not just field2

cmerriman · ‎02-15-2018

are you wanting it by state? or are there other fields that you want min, max, avg of?

dbcase · ‎02-15-2018

State can be armed or readyArmed, for this report they are essentially the same thing which is why I am summing the two values into one.

dbcase · ‎02-15-2018

Once summed I need to represent the sum, the avg of the sum, the minimum of the sum, and the maximum of the sum

dbcase · ‎02-15-2018

There are no other values in the data (I tried to keep in simple)

dbcase · ‎02-15-2018

Oh sorry, should have included my query

earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as ar

Timechart minimum values

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies