Splunk Search
Highlighted

show proper rate of a continually increasing value

Motivator

I have a script which collects the ldap stats of a series of ldap hosts and forward the values to splunk.

Now naturally the vaules are increasing - i would want to chart the delta values in a timechart.

How do i go about to achieve this?

I tried something like " | delta simpleAuthBinds AS deltaSimpleAuthBinds | search deltaSimpleAuthBinds>0 | timechart min(deltaSimpleAuthBinds) by dsaName " with min max etc but i only want the value in deltaSimpleAuthBinds (supposing i use "delta" correctly).

Tags (3)
Highlighted

Re: show proper rate of a continually increasing value

Champion

So are you dealing with an cumulative counter? If so I may have an example for you.

Highlighted

Re: show proper rate of a continually increasing value

Motivator

yes, it is essentially a table of cumulative counters (all the various stats elements just count up and i gather them to chart and report and alert in splunk)
would love to see your example.

0 Karma
Highlighted

Re: show proper rate of a continually increasing value

Champion

I posted this a while a go looking for input. My method uses the autoregress funtion and I'd be happy to walk you through it.

http://splunk-base.splunk.com/answers/55484/line-chart-cumulative-counters-by-host

Highlighted

Re: show proper rate of a continually increasing value

Motivator

um, it looks quite odd... the chart kinda breaks 🙂 in stacked mode. Will have to play with it a little and lets the data flow.

0 Karma
Highlighted

Re: show proper rate of a continually increasing value

Champion

@dominiquevocat, So what kinda of chart are you trying to build (stacked bar or line), what field to do you intend to group by, is this a real-time dashboard (using post-process changes the search a little), one time report, or ad-hoc search? Can you provide a few lines of the _raw? I'd be happy to try and help if I can. Cheers

0 Karma
Highlighted

Re: show proper rate of a continually increasing value

Motivator

@bmacias84: right now i use a area chart in stacked mode. The hickup came from a spike in one of the areas resulting in white space in the stacked chart :-). I think it would be sufficient to sort the sources by their relative volume. I currently do a one week overview of the load of the ldap servers. It is mostly to get the hang of it.

As for values, can i send them to you somehow?

0 Karma
Highlighted

Re: show proper rate of a continually increasing value

Champion

@dominiquevocat, I normal give a sample table output of the data include 10-15 rows

0 Karma
Highlighted

Re: show proper rate of a continually increasing value

Motivator

Ok, i ended up defining a macro "plotseries(2)"

Macro:
sort $arg1$ | reverse | autoregress $arg1$ as $arg1$ | autoregress $arg2$ as _$arg2$ P=1 | eval delta=($arg2$-$arg2$) | eval delta = if($arg1$ == _$arg1$, delta, null()) | timechart max(delta) by $arg1$ span=5m

so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)

the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.

hope this helps someone - also open for improvement.

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.