Finally getting used to Splunk and have it importing my data from a database.
Now I'm working on generating a line chart that plots out the recorded load to a database. We would like to look over a particular load and see how the load is across multiple days so we can identify unusual drops. This would include stuff like:
Row_Count=123 Error_Count=0 Average_Row_Count=120 Tolerance_Percentage=10
So I can plot out the Row, Average Row and Error fine.
But now I want to include the Tolerance Percentage which is the standard deviation from the average row count, i.e. a line at 108 and a line at 132.
| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT, list(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR) AS TOLERANCE_MIN BY LOAD_MNTR_RUN_ID, JOB_NAME
Gives out about using *
| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT BY LOAD_MNTR_RUN_ID, JOB_NAME | eval TOLERANCE_MIN=(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR)
Just doesnt report TOLERANCE_MIN.
Pretty sure I am missing something basic here..
You dont want to use stats list like this. This will give you one result row that has lots of multi-valued values. Although it sort of looks like what you want, it isnt.
I think this might be closer to what you're looking for:
<your search>
| eval Row_Count_Lower = Row_Count - Tolerance_Percentage
| eval Row_Count_Upper = Row_Count + Tolerance_Percentage |
| timechart avg(Row_Count_Lower) avg(Row_Count) avg(Row_Count_Upper) avg(Error_Count) span=1h
The output of that chart will get graphed as 4 lines, and the legend will show that one of the lines is the Row_Count minus the tolerance, one is the Row_Count itself, one is the Row_Count plus the tolerance.
If you're more interested in maxima and minima, just add in some max(Row_Count_Upper)
etc as necessary.
Note: If you're trying to generate graphs your best bet is to always use the chart
and timechart
commands.
http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions