I have a script which collects the ldap stats of a series of ldap hosts and forward the values to splunk.
Now naturally the vaules are increasing - i would want to chart the delta values in a timechart.
How do i go about to achieve this?
I tried something like " | delta simpleAuthBinds AS deltaSimpleAuthBinds | search deltaSimpleAuthBinds>0 | timechart min(deltaSimpleAuthBinds) by dsaName " with min max etc but i only want the value in deltaSimpleAuthBinds (supposing i use "delta" correctly).
yes, it is essentially a table of cumulative counters (all the various stats elements just count up and i gather them to chart and report and alert in splunk)
would love to see your example.
I posted this a while a go looking for input. My method uses the autoregress funtion and I'd be happy to walk you through it.
um, it looks quite odd... the chart kinda breaks 🙂 in stacked mode. Will have to play with it a little and lets the data flow.
@dominiquevocat, So what kinda of chart are you trying to build (stacked bar or line), what field to do you intend to group by, is this a real-time dashboard (using post-process changes the search a little), one time report, or ad-hoc search? Can you provide a few lines of the _raw? I'd be happy to try and help if I can. Cheers
@bmacias84: right now i use a area chart in stacked mode. The hickup came from a spike in one of the areas resulting in white space in the stacked chart :-). I think it would be sufficient to sort the sources by their relative volume. I currently do a one week overview of the load of the ldap servers. It is mostly to get the hang of it.
As for values, can i send them to you somehow?
Ok, i ended up defining a macro "plotseries(2)"
sort $arg1$ | reverse | autoregress $arg1$ as $arg1$ | autoregress $arg2$ as _$arg2$ P=1 | eval delta=($arg2$-$arg2$) | eval delta = if($arg1$ == _$arg1$, delta, null()) | timechart max(delta) by $arg1$ span=5m
so i would do something like
host="172.29.200.15" "[STATS]" |
the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.
hope this helps someone - also open for improvement.