Splunk Search

Timechart of event with duration

Wam79
Engager

I try make nice timechart how many objects are unavailable in specific time.
In my log I have start and end events from every outages and they are binded nicely together. Also I have calculated how long these outages are (in minute accuracy).
When I try to drad timechart with :


index=alarms event=add OR event=clear
| transaction event_id startswith=(event=add) endswith=(event =="Clear") keepevicted=true
| timechart dc(event_id)

I've got line stay up whole day. If I add span=15min (the accuracy what I want), I got only small spikes(15min), even those outages are 4 or 5 hours long.

Analog:
Restaurant have log on every seat when customer sit down and stands up. Every customer uses different time when they are eating. I want know how many customer we have in specific 15min timewindow in graph.

Tags (3)
0 Karma

nadid
Path Finder

For this kind of questions there is no need of sampling every second.

If you want to measure the concurrency of elements with a duration you should do:
* Align the buckets to a periods that you like

|eval bucket_time_size=1800
|eval start_bucket_time=START_TIME-(START_TIME%bucket_time_size)
|eval end_bucket_time=END_TIME-(END_TIME%bucket_time_size)
  • Create the ranges in a variable of the events for the bucket size you defined

    |eval bucket_start=mvrange(start_bucket_time,end_bucket_time,bucket_time_size)

  • Expand the variable (and the events)

    |mvexpand bucket_start

  • Assign the _time to the new expanded field.

    |eval _time=bucket_start

With that you will have what are the concurrent elements in a certain frame of time. Calculating how much is really used in each bucket will be like the calculation of in the previous answer of duration_bucket.

More detail explanation in: http://answers.splunk.com/answers/223129/how-to-distribute-an-event-among-many-time-buckets.html

0 Karma

nadid
Path Finder

@warm79 , does it solves this to you?

0 Karma

Ayn
Legend

Whenever I see questions about keeping track of state like this I immediately think of this excellent blog post covering the subject: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

0 Karma

Wam79
Engager

Well what I understand of that blog was "you should check status of your monitored item every second, if you want good occupacy report". I can't agree more that it is most reliable way to do that. I am not sure how vice it is when I have 1000+ items to look after.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...