Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

line chart cumulative counters by host

bmacias84
Champion
‎08-09-2012 08:58 AM

Problem: Creating a line chart from cumulative counter (i.e. snmp ifOutOctets or Windows TCP counters) for multiple hosts on a single chart. This counters can also reset zero an point.

I figured I'd use autoregress which was easy enough and works great for one host by has problem with multiple hosts

Search: index="someindex" sourcetype="perfmon" host="SERVER01" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets

Results:

_time resets

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 49.000000

8/8/12 5:35:00.000 PM 45.200000

8/8/12 5:30:00.000 PM 49.600000

8/8/12 5:25:00.000 PM 47.800000

8/8/12 5:20:00.000 PM 46.400000

8/8/12 5:15:00.000 PM 47.800000

Now multiple hosts the results are incorrect.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 67081.666667 66770.750000 665843.250000

8/8/12 5:35:00.000 PM 67081.000000 66771.000000 665615.000000

8/8/12 5:30:00.000 PM 67080.000000 66771.000000 665356.600000

8/8/12 5:25:00.000 PM 67080.000000 66771.000000 665112.200000

8/8/12 5:20:00.000 PM 67080.000000 66771.000000 303296.000000

8/8/12 5:15:00.000 PM 67080.200000 66771.200000 62203.000000

Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎10-05-2012 11:36 AM

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎10-05-2012 11:36 AM

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

Reply
Solved! Jump to solution

sinash
Explorer
‎02-25-2017 03:55 AM

This seems to be working.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...