Re: Timechart minimum values

dbcase · ‎02-15-2018

Hi,

I have this data this is retrieved once per hour (more or less on the hour) for the past 7 days.

readyArmed,32335,2018-02-15 12:01:38.646138 -5:00
armed,4743,2018-02-15 12:01:38.646138 -5:00

The first field is the armed state and the second field is the number of customers in that state at that time, the third field is the timestamp.

I've created a simple timechart graph showing the pattern and it looks like this. What I'd like to do is create a similar timechart graph that shows the minimum, maximum and averages of the same data over time.

cmerriman · ‎02-15-2018

index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum|eventstats max(sum) as max min(sum) as min avg(sum) as avg

based on previous comments, is something like this what you're needing?

dbcase · ‎02-15-2018

Hi cmerriman,

Interesting idea doing the post processing with eventstats. I gave it a shot and here is what happened

Time period X

Sum Value=37604 (this is good)
Avg Value=41271 (looks good)
Max Value=60718 (looks good)
Min Value=25947 (looks good)

Here is where the trouble shows up

Time period Y

Sum Value=37418 (this is good)
Avg Value=41271 (identical to time period X - possible but very unlikely)
Max Value=60718 (identical to time period X - possible but very unlikely)
Min Value=25947 (identical to time period X - possible but very unlikely)

Time period Z

Sum Value=36751 (this is good)
Avg Value=41271 (identical to time period X & Y - possible but extremely unlikely)
Max Value=60718 (identical to time period X & Y - possible but extremely unlikely)
Min Value=25947 (identical to time period X & Y - possible but extremely unlikely)

cmerriman · ‎02-15-2018

can you give a sample output of what the data should look like? I thought you meant the overall max/min/avg of sum when you stated you needed to represent the avg of the sum, min of the sum, and max of the sum. i suppose you could use streamstats instead of eventstats, and that would be a moving min/max/avg.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

micahkemp · ‎02-15-2018

If you just want the min/max/avg over the same period that your sum is over, this should work:

earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum, avg(field2) AS avg, min(field2) AS min, max(field2) AS max

dbcase · ‎02-15-2018

Hi Michahkemp,

Thanks! its close but not quite and I wasn't clear so lemme try again.

I would like the sum of field 2 min, max and avg not just field2

cmerriman · ‎02-15-2018

are you wanting it by state? or are there other fields that you want min, max, avg of?

dbcase · ‎02-15-2018

State can be armed or readyArmed, for this report they are essentially the same thing which is why I am summing the two values into one.

dbcase · ‎02-15-2018

Once summed I need to represent the sum, the avg of the sum, the minimum of the sum, and the maximum of the sum

dbcase · ‎02-15-2018

There are no other values in the data (I tried to keep in simple)

dbcase · ‎02-15-2018

Oh sorry, should have included my query

earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as ar

Timechart minimum values

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...