Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need to track the progress of students over time

wwf
New Member
‎07-18-2015 06:31 PM

Our event lists the answer to one question on a test.
Our test numbers are unique to one set of test questions by one student at the time they took the test.
I can handle grading the tests using eval(grade_function) by test_number (e.g. grade=B)
Students can take the test at any time and retake the test as many times as they want or only take the test once.
I want to track the student's progress every month.

Thus for every student, I want to get their last test results before each months end and plot the number of students who achieved each grade. Note the last test result for a student may appear many months before the current month end.
This should look like a bar or line graph and each X axis value is a month and each bar at an X value represents a count of the number of "A", "B", "C", and "D" grades.

The first part I think I can handle by processing the list of events by test number and generating statistics as a table.
Once I have done this, I have no "test" events (only lines in a table) to order or search by or sum up results.
I don't know if there is a way to turn a table into a series of events.
I also realize I may be very far off the way to use Splunk to process the data.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2015 10:36 PM

Do it like this:

... | bucket _time span=1mon | stats latest(grade) AS grade BY student test_number _time | timechart span=1mon count by grade
0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2015 06:06 PM

Given your "all time" clarification, try this:

...  | eventstats latest(_time) AS lastTestTime BY student test_number | eval Grade=if(_time=lastTestTime ), grade, null()) | bucket _time span=1mon | stats latest(Grade) AS Grade BY student test_number _time | timechart span=1mon count by Grade

This assumes that the most recent grade for every student+test_number is the only one counted and that it is only counted in the month that the latest grade occurred (all previous grades for this student+test_number pairings are ignored).

0 Karma
Reply

wwf
New Member
‎07-22-2015 03:34 PM

The suggestion almost works.
The bad results occur when a student has not written a test within a month but wrote a test more than a month ago.
The student's grades carried over from the earlier months do not count for the grades in the latest month.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-19-2015 04:04 AM

This might start working once you replace span=1m with span=1mon.

Reply

woodcock
Esteemed Legend
‎07-19-2015 07:47 PM

Fixed; thank you.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-20-2015 03:53 PM

It's still bucketing by minutes.

Reply

woodcock
Esteemed Legend
‎07-20-2015 04:16 PM

Got it again.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...