- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: show proper rate of a continually increasing v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a script which collects the ldap stats of a series of ldap hosts and forward the values to splunk.
Now naturally the vaules are increasing - i would want to chart the delta values in a timechart.
How do i go about to achieve this?
I tried something like " | delta simpleAuthBinds AS deltaSimpleAuthBinds | search deltaSimpleAuthBinds>0 | timechart min(deltaSimpleAuthBinds) by dsaName " with min max etc but i only want the value in deltaSimpleAuthBinds (supposing i use "delta" correctly).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, i ended up defining a macro "plotseries(2)"
Macro:
sort $arg1$ | reverse | autoregress $arg1$ as $arg1$ | autoregress $arg2$ as _$arg2$ P=1 | eval delta=($arg2$-$arg2$) | eval delta = if($arg1$ == _$arg1$, delta, null()) | timechart max(delta) by $arg1$ span=5m
so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)
the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.
hope this helps someone - also open for improvement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, i ended up defining a macro "plotseries(2)"
Macro:
sort $arg1$ | reverse | autoregress $arg1$ as $arg1$ | autoregress $arg2$ as _$arg2$ P=1 | eval delta=($arg2$-$arg2$) | eval delta = if($arg1$ == _$arg1$, delta, null()) | timechart max(delta) by $arg1$ span=5m
so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)
the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.
hope this helps someone - also open for improvement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I posted this a while a go looking for input. My method uses the autoregress funtion and I'd be happy to walk you through it.
http://splunk-base.splunk.com/answers/55484/line-chart-cumulative-counters-by-host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dominiquevocat, I normal give a sample table output of the data include 10-15 rows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bmacias84: right now i use a area chart in stacked mode. The hickup came from a spike in one of the areas resulting in white space in the stacked chart :-). I think it would be sufficient to sort the sources by their relative volume. I currently do a one week overview of the load of the ldap servers. It is mostly to get the hang of it.
As for values, can i send them to you somehow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dominiquevocat, So what kinda of chart are you trying to build (stacked bar or line), what field to do you intend to group by, is this a real-time dashboard (using post-process changes the search a little), one time report, or ad-hoc search? Can you provide a few lines of the _raw? I'd be happy to try and help if I can. Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
um, it looks quite odd... the chart kinda breaks 🙂 in stacked mode. Will have to play with it a little and lets the data flow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, it is essentially a table of cumulative counters (all the various stats elements just count up and i gather them to chart and report and alert in splunk)
would love to see your example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So are you dealing with an cumulative counter? If so I may have an example for you.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
