I try make nice timechart how many objects are unavailable in specific time.
In my log I have start and end events from every outages and they are binded nicely together. Also I have calculated how long these outages are (in minute accuracy).
When I try to drad timechart with :
index=alarms event=add OR event=clear
| transaction event_id startswith=(event=add) endswith=(event =="Clear") keepevicted=true
| timechart dc(event_id)
Restaurant have log on every seat when customer sit down and stands up. Every customer uses different time when they are eating. I want know how many customer we have in specific 15min timewindow in graph.
For this kind of questions there is no need of sampling every second.
If you want to measure the concurrency of elements with a duration you should do:
* Align the buckets to a periods that you like
|eval bucket_time_size=1800 |eval start_bucket_time=START_TIME-(START_TIME%bucket_time_size) |eval end_bucket_time=END_TIME-(END_TIME%bucket_time_size)
Create the ranges in a variable of the events for the bucket size you defined
Expand the variable (and the events)
Assign the _time to the new expanded field.
With that you will have what are the concurrent elements in a certain frame of time. Calculating how much is really used in each bucket will be like the calculation of in the previous answer of duration_bucket.
More detail explanation in: http://answers.splunk.com/answers/223129/how-to-distribute-an-event-among-many-time-buckets.html
Whenever I see questions about keeping track of state like this I immediately think of this excellent blog post covering the subject: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
Well what I understand of that blog was "you should check status of your monitored item every second, if you want good occupacy report". I can't agree more that it is most reliable way to do that. I am not sure how vice it is when I have 1000+ items to look after.