All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Timewrap to get a baseline of where the average traffic should be in a time chart based on a week ago and 2 weeks ago

jaywilwk
Engager
‎05-07-2014 08:08 AM

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC Allow | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb

Using the timewrap app, I was trying to provide a baseline of what the traffic should be withtin a 30 minute window based on the same 30 minute window from the past 2 weeks ago on the same day. (Ex: compare the current 30 minute window of Wednesday to the a week and two weeks ago 30 minute window of wednesday) Above is my current search that presents a timechart showing Megabits per second over the last 30 minutes.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-07-2014 11:36 AM

Hi jaywilwk,

how about this:

index=proxysg sourcetype=proxysg earliest=-3w@w latest=-0w@w 
| eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") 
| search Category=IBC Allow 
| timechart span=30m per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb 
| timewrap w | where strftime(_time, "%A") == "Wednesday"

btw, this is taken form the timewrap docs

cheers, MuS

Reply

MuS
SplunkTrust
SplunkTrust
‎05-07-2014 11:28 PM

Hi jaywilwk,

take this run everywhere example and adapt it to your needs:

index=_internal source=*metrics.log series="splunkd" earliest=-2w@w | timechart span=30m avg(kbps) as avg_kbps by series | timewrap w | eval myTime=relative_time(now(), "-30m@m") | where _time>=myTime

this will compare the last 30 minutes with the last two weeks at the same 30 minutes.

Please mark this as answered by ticking the tick - thanks

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-07-2014 12:54 PM

okay, I can only show you the way to go but I cannot solve your problems, because I don't have your real world events available.
Your base search must go over the last two weeks and you probably need to do some additional filtering in the end to get back only those last 30min

0 Karma
Reply

jaywilwk
Engager
‎05-07-2014 12:43 PM

I want the timechart to show the current Mb/s average for the last 30 minutes and also show the average same 30 minutes from the last 2 weeks.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...