Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart - How to plot the latest available data for each input over time?

asherman
Path Finder
‎08-18-2014 03:41 PM

Hello,

I am trying to represent the change in error for ~30,000 inputs over time. Not all inputs are updated routinely (e.g., some are updated multiple times a day, while others are updated every other day, etc.). I would like to plot over time the latest available data for each input (so not restricted to the time, rather from the beginning of time up until the edge of the current bin). I can think of it as charting the result of the dedup command overtime.

E.g.: input=rows, time=columns, >0.5 is a failure (excluded), '-' means no input that day

    d1    d2   d3    d4
I1: 0.7   -   0.3   0.4
I2: 0.3  0.6  0.4    -
I3: 0.5   -   0.2   0.6

Would produce a plot of values:

    d1 d2 d3 d4
I1: 0  0  1   1
I2: 1  0  1   0
I3: 1  1  1   0
sum:2  1  3   0

I have been trying to use the streamstats function, but haven't been successful:

index=test_index3 max_err="*" | bin _time span=1d | dedup name, path  
| streamstats sum(eval(max_err<0.05 AND max_err>-0.05)) as data, count as total by block
| eval percent=round(data/total*100,3)
| timechart max(percent) as data by block

The data is of the form "...name=some_name,path=some_path,block=some_block,max_err=0.043,...", etc.

Any help would be appreciated. Thanks.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2014 02:08 PM

Try this

index=test_index3 max_err="*" | bin _time span=1d | dedup name, path  
| eventstats count as total by block | where max_err<0.05 AND max_err>-0.05
| streamstats sum(max_err) as data by block
| eval percent=round(data/total*100,3)
| timechart max(percent) as data by block
0 Karma
Reply

asherman
Path Finder
‎08-18-2014 04:14 PM

I want a sum of all the errors that are +/- 5% from the beginning of time until a given point, subtracting duplicates (i.e., only consider the latest data).

So, the bins on the chart would be look something like {(-infty,-10), (-infty,-9), ..., (-infty, today)}, each plotting the total number of 'okay' entries, using the latest data for each unique entry up until the related day.

0 Karma
Reply

strive
Influencer
‎08-18-2014 04:08 PM

Per day you want to sum up everything OR for a given day plot the latest data for that day for an input?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...