Splunk Search

Timechart - How to plot the latest available data for each input over time?

asherman
Path Finder

Hello,

I am trying to represent the change in error for ~30,000 inputs over time. Not all inputs are updated routinely (e.g., some are updated multiple times a day, while others are updated every other day, etc.). I would like to plot over time the latest available data for each input (so not restricted to the time, rather from the beginning of time up until the edge of the current bin). I can think of it as charting the result of the dedup command overtime.

E.g.: input=rows, time=columns, >0.5 is a failure (excluded), '-' means no input that day

    d1    d2   d3    d4
I1: 0.7   -   0.3   0.4
I2: 0.3  0.6  0.4    -
I3: 0.5   -   0.2   0.6

Would produce a plot of values:

    d1 d2 d3 d4
I1: 0  0  1   1
I2: 1  0  1   0
I3: 1  1  1   0
sum:2  1  3   0

I have been trying to use the streamstats function, but haven't been successful:

index=test_index3 max_err="*" | bin _time span=1d | dedup name, path  
| streamstats sum(eval(max_err<0.05 AND max_err>-0.05)) as data, count as total by block
| eval percent=round(data/total*100,3)
| timechart max(percent) as data by block

The data is of the form "...name=some_name,path=some_path,block=some_block,max_err=0.043,...", etc.

Any help would be appreciated. Thanks.

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index=test_index3 max_err="*" | bin _time span=1d | dedup name, path  
| eventstats count as total by block | where max_err<0.05 AND max_err>-0.05
| streamstats sum(max_err) as data by block
| eval percent=round(data/total*100,3)
| timechart max(percent) as data by block
0 Karma

asherman
Path Finder

I want a sum of all the errors that are +/- 5% from the beginning of time until a given point, subtracting duplicates (i.e., only consider the latest data).

So, the bins on the chart would be look something like {(-infty,-10), (-infty,-9), ..., (-infty, today)}, each plotting the total number of 'okay' entries, using the latest data for each unique entry up until the related day.

0 Karma

strive
Influencer

Per day you want to sum up everything OR for a given day plot the latest data for that day for an input?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...