Splunk Search

Can i get a table of statistics where different columns represent different time ranges like 'last 24 hrs', 'last month' ?

sideview
SplunkTrust
SplunkTrust

We want to end up with this kind of table on a dashboard.

Average GB By Host and Time

host     last 24 hours       last week       last month      
web1     31.42               14.2            18.66
web2     33.59               32.4            32.14
web1     43.5                35.3            34.91

However we cant think of a way to do this without running subsearches and using the join command which seems very nasty.
In this example we'd run the search over the last month and get the big stat that way, and then run 2 other searches in join commands to get the other ones. Again, very very nasty. And although it might work, we're worried about the scaling limits when using join and we're pretty sure the number of events in this case will hit the limits, which rules this out anyway.

But is there any other way to actually get these in a table or chart?

If it's not in a table, we can think of a limited alternative using NxM SingleValue modules but that would be a little lame and we're hoping to really getting this data in single tables and graphable in single charts.

1 Solution

steveyz
Splunk Employee
Splunk Employee

set the timerange to the latest month (i.e. earliest=-1month)

<your search for events> 
| eval label = if(now() - _time <= 24*3600, "last24;lastweek;lastmonth", if(now() - _time <= 7*24*3600, "lastweek;lastmonth", "lastmonth)) 
| makemv label delim=";" | chart avg(GB) by host label 

View solution in original post

steveyz
Splunk Employee
Splunk Employee

set the timerange to the latest month (i.e. earliest=-1month)

<your search for events> 
| eval label = if(now() - _time <= 24*3600, "last24;lastweek;lastmonth", if(now() - _time <= 7*24*3600, "lastweek;lastmonth", "lastmonth)) 
| makemv label delim=";" | chart avg(GB) by host label 

sideview
SplunkTrust
SplunkTrust

answering my own comment - you can actually use the relative time specifiers themselves in eval now. See 'relative_time' in http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions

0 Karma

sideview
SplunkTrust
SplunkTrust

Nice. I'd gone in that direction a little but was fishing for another way. 😃 It would be awesome if somehow you could use the relative time specifiers themselves somewhere. And this is nonsense, but something vaguely like "avg(GB) where _time in timerange(-30d@d, @d) avg(GB) where _time in timerange(-1d@d, @d) "

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...