I have this search string shown below, it is perfect except that it does not show any values of the X-axis of the chart. What i'm wanting is to have hourly increments on the x-axis i.e. 12, 1, 2, etc... Your time is appreciated!
index = ims IMS1 earliest = -90d@d latest = -1d@d
| eval dow = tonumber(strftime(_time,"%w"))
| where dow!=0 AND dow!=6
| eval TDay=strftime(now(), "%F")
| eval QDay=strftime(_time,"%F")
| convert timeformat="%Y-%m-%d" mktime(TDay)
| convert timeformat="%Y-%m-%d" mktime(QDay)
| eval tdiff=(TDay-QDay)/86400
| eval new_time=_time+86400*tdiff
| eval _time=if(isnotnull(new_time), new_time, _time)
| eval Max_Peak = 20000
|bin _time span=15m
|stats first(Max_Peak) as Max_Peak avg(Tran_Count) as Normal_Day perc95(Tran_Count) as tempUpper perc10(Tran_Count) as Lower by _time
| eval Upper=tempUpper-Lower
| table _time Upper Normal_Day Lower Max_Peak
| join type=outer _time [search index = ims IMS1 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS1_Today_AVG]
| join type=outer _time [search index = ims IMS2 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS2_Today_AVG]
| join type=outer _time [search index = ims IMS3 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS3_Today_AVG]
... View more
I have a feed going into Splunk currently that follows a trend that looks like it starts at a very small number, then increases during the day until the middle of the day then back down to a small number. What i am wanting to do, is build a search that will look at this day 7 days ago, for every hour add 10% and minus 10% so that i have a threshold that i can chart on my chart for today.
Basically, i want: today's chart, a minimum and a maximum all in the one chart. With the max and min being 10% difference of the time 7 days ago. This is used to say that if the logs of today are more than last week, then it will show me as it will go over the 10% threshold of 7 days ago.
What functions does Splunk have to do this?
... View more