Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart - _time subsearch issue

splunk_zen
Builder
‎03-14-2013 12:26 PM

I need to feed several days most busy hour into a weighted score evolution over time,
which I'm running troubles into..
Let's say I the subsearch outputs something like the following into my main search.

(date_month = february AND date_mday = 13 AND date_hour = 20) OR (date_month = february AND date_mday = 14 AND date_hour = 20)

I need to sum some values as components to the final expression, but considering I need the score evolution over time I've added by Platform date_month date_mday date_hour so I don't lose the _time attributes.

My current expression,

(...)
| eval OptimumMem = case(
Platform=="SCPs" AND MemUsedPct <= 60, 1,
Platform=="DSCPs" AND MemUsedPct <= 75, 1,
(...)
Platform=="MGRs" AND MemUsedPct <= 60, 1
)
| eval AcceptableMem = case(
Platform=="SCPs" AND MemUsedPct > 60 AND MemUsedPct <= 75, 1,
Platform=="DSCPs" AND MemUsedPct > 75 AND MemUsedPct <= 90, 1,
(...)
Platform=="MGRs" AND MemUsedPct > 60 AND MemUsedPct <= 75, 1
)
| stats count(MemUsedPct) as TotalEvents sum(OptimumMem) as TotalOptimumMem sum(AcceptableMem) as TotalAcceptableMem by Platform date_month date_mday date_hour
    | fillnull 
| eval ScpMemApdex=if(Platform="SCPs",(TotalOptimumMem + TotalAcceptableMem/2) / TotalEvents,0)
| eval DscpMemApdex=if(Platform="DSCPs",(TotalOptimumMem + TotalAcceptableMem/2) / TotalEvents,0)
(...)
| eval MgrMemApdex=if(Platform="MGRs",(TotalOptimumMem + TotalAcceptableMem/2) / TotalEvents,0)
    | eval ApdexScore=round(100*(0.17*ScpMemApdex + 0.17*DscpMemApdex + 0.4*SdpMemApdex + 0.15*SmpMemApdex + 0.07*BitMemApdex + 0.04*MgrMemApdex), 2)

is returning,

Platform    date_month  date_mday   date_hour   TotalEvents     TotalOptimumMem     TotalAcceptableMem  ApdexScore  DscpMemApdex    MgrMemApdex     ScpMemApdex
DSCPs   february    13  20  48  48  0   **17.00**   1   0   0       
MGRs    february    13  20  36  36  0   **4.00**    0   1   0

How should I change it so I don't get No results found when adding

| timechart sum(ApdexScore)

?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎03-14-2013 01:51 PM

You need to reconstruct _time. If there's no _time field, timechart will not work

so do something like this before the timechart :

... | eval _time=strptime(date_hour." ".date_mday." ".date_month,"%H %d %B")

Then add :

| timechart sum(ApdexScore)

You may actually want to include the year too ...

View solution in original post

Reply
Solved! Jump to solution

splunk_zen
Builder
‎03-15-2013 04:49 AM

Actually, no. Those ** were just to stand out.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 02:17 PM

If you bin your original events into hours you could group by _time instead of those three, hence keeping the actual _time all the way through.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-18-2013 04:48 AM

Something like bucket _time span=1h

0 Karma
Reply
Solved! Jump to solution

splunk_zen
Builder
‎03-18-2013 04:45 AM

Martin, how does the bin expression before stats look like?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-15-2013 05:57 AM

I was thinking of binning by hour after you determine the day's value, right before the final stats.

0 Karma
Reply
Solved! Jump to solution

splunk_zen
Builder
‎03-15-2013 02:19 AM

Martin, I started using that approach, the issue with it is that forcing _time, would return the same value across all the main search timestamps, which would run me into trouble summing them in the timechart expression (whereas I need to compute a single daily value - representative of the busiest hour)

_time Platform TotalEvents TotalOptimumMem TotalAcceptableMem DscpMemApdex ScpMemApdex
13/02/2013 20:00:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:05:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:10:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:15:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:20:00.000 DSCPs 4 4 0 1 0

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎03-14-2013 01:51 PM

You need to reconstruct _time. If there's no _time field, timechart will not work

so do something like this before the timechart :

... | eval _time=strptime(date_hour." ".date_mday." ".date_month,"%H %d %B")

Then add :

| timechart sum(ApdexScore)

You may actually want to include the year too ...

Reply
Solved! Jump to solution

splunk_zen
Builder
‎03-15-2013 01:59 AM

Flawless !
Thank you jonuwz, really.
I was getting trouble wrapping my head over what was the culprit.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-14-2013 12:44 PM

Are the ** on the ApdexScore part of the field value?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...