Splunk Search

how to subtract vaule when making a chart

chadman
Path Finder

I have a chart that shows total bytes sent on a computer. The chart seems to work, but it's hard to read. Since this number keeps increasing it's hard to read in a chart form because it's such a high number. Can I subtract the first result from all the number in my chart? That way the first plot would be 0 and the user can see the increase over time. Here is what I have now. What would I change to do that?

 <chart>
      <searchTemplate>sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"</searchTemplate>
      <title>Bytes Sent</title>
      <option name="charting.axisTitleX.text">Date</option>
       <option name="charting.axisTitleY.text">Bytes Sent)</option>
      <option name="charting.chart">area</option>
      <option name="charting.primaryAxisTitle.text"/>
               <option name="displayRowNumbers">true</option>
    </chart>
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"
| eventstats first("Bytes Sent") AS FBS
| eval "Bytes Sent" = "Bytes Sent" - FBS

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

Why not use delta so you have only the difference?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta

Try use this search

sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as total_bytes | delta total_bytes as "Bytes Sent" | fields -total_bytes
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

chadman
Path Finder

Very cool, I understand it now. I never even thought about making the chart like this, but I really like the idea. It seems to be easy to read and find the spikes fast.

0 Karma

chadman
Path Finder

I tried that, but it did not show the correct numbers I was expecting. I double checked and my data is correct and all the number increase. It should chart a line that continues to go up. This chart showed numbers going up and down.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

It's the bytes sent over time, not the total sum of bytes sent

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Like this:

sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"
| eventstats first("Bytes Sent") AS FBS
| eval "Bytes Sent" = "Bytes Sent" - FBS

chadman
Path Finder

Think I'm doing something wrong. I get this

Error in 'eval' command: Typechecking failed. '-' only takes numbers.

0 Karma

somesoni2
Revered Legend

Replace | eval "Bytes Sent" = "Bytes Sent" - FBS with | eval "Bytes Sent" = 'Bytes Sent' - FBS

0 Karma

woodcock
Esteemed Legend

Yes, I used the wrong quotes.

0 Karma

chadman
Path Finder

Perfect! got it working. Thanks for all the help.

0 Karma

chadman
Path Finder

I think that is close! The chart is showing the FBS value and not the "Bytes Sent" Sorry, I don't use Splunk very often. I'm sure I'm missing something simple.

0 Karma

chadman
Path Finder

I see the chart is showing values for both Bytes Sent and FBS. How do I remove the FBS from my chart?

0 Karma

woodcock
Esteemed Legend

See comment above.

0 Karma

woodcock
Esteemed Legend

Add this to the end

... | fields - FBS
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...