Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

line chart cumulative counters by host

bmacias84
Champion
‎08-09-2012 08:58 AM

Problem: Creating a line chart from cumulative counter (i.e. snmp ifOutOctets or Windows TCP counters) for multiple hosts on a single chart. This counters can also reset zero an point.

I figured I'd use autoregress which was easy enough and works great for one host by has problem with multiple hosts

Search: index="someindex" sourcetype="perfmon" host="SERVER01" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets

Results:

_time resets

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 49.000000

8/8/12 5:35:00.000 PM 45.200000

8/8/12 5:30:00.000 PM 49.600000

8/8/12 5:25:00.000 PM 47.800000

8/8/12 5:20:00.000 PM 46.400000

8/8/12 5:15:00.000 PM 47.800000

Now multiple hosts the results are incorrect.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 67081.666667 66770.750000 665843.250000

8/8/12 5:35:00.000 PM 67081.000000 66771.000000 665615.000000

8/8/12 5:30:00.000 PM 67080.000000 66771.000000 665356.600000

8/8/12 5:25:00.000 PM 67080.000000 66771.000000 665112.200000

8/8/12 5:20:00.000 PM 67080.000000 66771.000000 303296.000000

8/8/12 5:15:00.000 PM 67080.200000 66771.200000 62203.000000

Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎10-05-2012 11:36 AM

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎10-05-2012 11:36 AM

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

Reply
Solved! Jump to solution

sinash
Explorer
‎02-25-2017 03:55 AM

This seems to be working.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...