Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to show accumulated sum over bin of time

ericyeh1995
Explorer
‎06-25-2017 11:36 PM

I would like to calculate the accumulated energy used over a period of 15 minutes. The sum has to start around min%15==0 (hh:00, hh:15, hh:30, hh:45). The plot should look similar to a sawtooth plot with accumulated power reset to 0 every 15 minutes.

Currently, I am able to create an accumulated plot for a specific window:

host=pm_energy  | reverse | accum d.Act_power_realtime{} as tot_pow | timechart last(tot_pow) span=20s

But I couldn't get it to reset every 15 minutes. I want my graph to look like this:
alt text
Where the data used in the above graph is calculated in a separate program.

Preview file
39 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-26-2017 07:05 PM

Try this - 

 host=pm_energy  
| reverse
| rename COMMENT as "Above gets the records in time order"

| rename COMMENT as "Set each 15 minute time period as its own pulse of time" 
| eval timepulse=floor(_time/900) 

| rename COMMENT as "Accumulate power for each pulse" 
| streamstats current=t sum(d.Act_power_realtime{}) as tot_pow by timepulse 

| rename COMMENT as "Drop unneeded data and present results" 
| table _time tot_pow
| timechart last(tot_pow) as tot_pow span=20s

Notes - You might want to consider whether you want 8:15 exactly to be the beginning of 8:15:00.000-8:29:59.999 or the end of 8:00:00.001-8:15:00.000

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-26-2017 07:05 PM

Try this - 

 host=pm_energy  
| reverse
| rename COMMENT as "Above gets the records in time order"

| rename COMMENT as "Set each 15 minute time period as its own pulse of time" 
| eval timepulse=floor(_time/900) 

| rename COMMENT as "Accumulate power for each pulse" 
| streamstats current=t sum(d.Act_power_realtime{}) as tot_pow by timepulse 

| rename COMMENT as "Drop unneeded data and present results" 
| table _time tot_pow
| timechart last(tot_pow) as tot_pow span=20s

Notes - You might want to consider whether you want 8:15 exactly to be the beginning of 8:15:00.000-8:29:59.999 or the end of 8:00:00.001-8:15:00.000

Reply
Solved! Jump to solution

ericyeh1995
Explorer
‎06-27-2017 01:09 AM

Thank you! This works great!

Reply
Solved! Jump to solution

rjthibod
Champion
‎06-26-2017 05:12 AM

You can use streamtstats and the time_window option.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

host=pm_energy | streamstats time_window=15m sum(d.Act_power_realtime{}) as tot_pow | timechart last(tot_pow) span=20s

0 Karma
Reply
Solved! Jump to solution

ericyeh1995
Explorer
‎06-26-2017 05:51 PM

I got an error saying by using the time_window the input has to be in sorted in time order. Any suggestion to fix this?

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎06-27-2017 04:15 AM

Probably add |sort 0 +_time after the initial search filter.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...