- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Charting non indexed values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Charting non indexed values
I have a feed going into Splunk currently that follows a trend that looks like it starts at a very small number, then increases during the day until the middle of the day then back down to a small number. What i am wanting to do, is build a search that will look at this day 7 days ago, for every hour add 10% and minus 10% so that i have a threshold that i can chart on my chart for today.
Basically, i want: today's chart, a minimum and a maximum all in the one chart. With the max and min being 10% difference of the time 7 days ago. This is used to say that if the logs of today are more than last week, then it will show me as it will go over the 10% threshold of 7 days ago.
What functions does Splunk have to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to search for the events that you want to chart, and then alter the timerange so that they can be charted together, that can be done in the old way with manually setting a 'marker' and then adding to the _time field (first example) or you can use the timewrap command, which can be found here as an app: http://apps.splunk.com/app/1645/
For these sample queries data from the _internal index have been used, so you can cut-n-paste these code samples directly to play around with them, as the _internal index is present on all splunk installations. Just make sure that you have the proper access rights.
| multisearch
[ search index=_internal sourcetype=splunkd earliest=-7d@d latest=-7d group=per_index_thruput series="_internal"
| eval marker="last_week" ]
[ search index=_internal sourcetype=splunkd earliest=@d group=per_index_thruput series="_internal"
| eval marker="today" ]
| eval _time = if(marker=="today", _time, _time + (7 * 86400))
| timechart span=1h avg(eps) by marker
| where isnotnull(today) OR isnotnull(last_week)
| eval last_week = round(last_week,2)
| eval today = round(today,2)
| eval last_week_high = last_week * 1.10
| eval last_week_low = last_week * 0.900
| fields - last_week
Or using the timewrap command;
| multisearch
[search index=_internal sourcetype=splunkd series="_internal" earliest =-7d@d latest=-7d group=per_index_thruput]
[search index=_internal sourcetype=splunkd series="_internal" earliest=@d group=per_index_thruput]
| timechart span=1h avg(eps) as avg_eps
| timewrap d
| where isnotnull(avg_eps_latest_day) OR isnotnull(avg_eps_7days_before)
| eval avg_eps_today = round(avg_eps_latest_day,2)
| eval low_last_week = round((avg_eps_7days_before * 0.900),2)
| eval high_last_week = round((avg_eps_7days_before * 1.100),2)
| fields + _time, avg_eps_today, low_last_week, high_last_week
NB:
You could also with a simpler search where you get all events from the last week and filter out the results after the timewrap command;
index=_internal sourcetype=splunkd earliest=-7d@d group=per_index_thruput series="_internal"
| timechart span=1h avg(eps) as avg_eps
| timewrap d
| the rest of your commands for filtering out / manipulating fields
Hope this helps,
/K
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
