Splunk Search

line chart cumulative counters by host

bmacias84
Champion

Problem: Creating a line chart from cumulative counter (i.e. snmp ifOutOctets or Windows TCP counters) for multiple hosts on a single chart. This counters can also reset zero an point.

I figured I'd use autoregress which was easy enough and works great for one host by has problem with multiple hosts

Search: index="someindex" sourcetype="perfmon" host="SERVER01" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets

Results:

_time resets

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 49.000000

8/8/12 5:35:00.000 PM 45.200000

8/8/12 5:30:00.000 PM 49.600000

8/8/12 5:25:00.000 PM 47.800000

8/8/12 5:20:00.000 PM 46.400000

8/8/12 5:15:00.000 PM 47.800000

Now multiple hosts the results are incorrect.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 67081.666667 66770.750000 665843.250000

8/8/12 5:35:00.000 PM 67081.000000 66771.000000 665615.000000

8/8/12 5:30:00.000 PM 67080.000000 66771.000000 665356.600000

8/8/12 5:25:00.000 PM 67080.000000 66771.000000 665112.200000

8/8/12 5:20:00.000 PM 67080.000000 66771.000000 303296.000000

8/8/12 5:15:00.000 PM 67080.200000 66771.200000 62203.000000

1 Solution

bmacias84
Champion

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

View solution in original post

bmacias84
Champion

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

sinash
Explorer

This seems to be working.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...