Splunk Search

line chart cumulative counters by host

Champion

Problem: Creating a line chart from cumulative counter (i.e. snmp ifOutOctets or Windows TCP counters) for multiple hosts on a single chart. This counters can also reset zero an point.

I figured I'd use autoregress which was easy enough and works great for one host by has problem with multiple hosts

Search: index="someindex" sourcetype="perfmon" host="SERVER01" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets

Results:

_time resets

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 49.000000

8/8/12 5:35:00.000 PM 45.200000

8/8/12 5:30:00.000 PM 49.600000

8/8/12 5:25:00.000 PM 47.800000

8/8/12 5:20:00.000 PM 46.400000

8/8/12 5:15:00.000 PM 47.800000

Now multiple hosts the results are incorrect.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:45:00.000 PM

8/8/12 5:40:00.000 PM 67081.666667 66770.750000 665843.250000

8/8/12 5:35:00.000 PM 67081.000000 66771.000000 665615.000000

8/8/12 5:30:00.000 PM 67080.000000 66771.000000 665356.600000

8/8/12 5:25:00.000 PM 67080.000000 66771.000000 665112.200000

8/8/12 5:20:00.000 PM 67080.000000 66771.000000 303296.000000

8/8/12 5:15:00.000 PM 67080.200000 66771.200000 62203.000000

1 Solution

Champion

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

View solution in original post

Champion

I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.

Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host

Results:

_time SERVER01 SERVER02 SERVER03

8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000

8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000

8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000

8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000

8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000

I hope this all makes sense. Any suggestion would be great. Thanks.

View solution in original post

Explorer

This seems to be working.

0 Karma