Splunk Search

How to normalize event counts of disparate data extracts with different polling intervals in a single timechart?

det0n8r
Explorer

This is a follow up question to a previously answered question I asked on timechart counts (here).

Now that I've got the count fixed with a bin and dedup, I'm trying to figure out how to co-mingle data sources of varying polling intervals. How would I go about merging disparate data sources with separate extracts that have different polling intervals?

For example, when comparing a 10 minute poll interval extract with a 5 minute, I get gaps in the longer interval source (because of the bin); here's a sample query, and screenshot of the timechart:

.. sourcetype=server:sessions OR sourcetype=switch:sessions | bin _time span=5m | dedup UserName, _time | timechart count(serverfield) as ActiveServer, count(switchfield) as ActiveSwitch

Timechart with disparate sources

How would I normalize the 10 minute extract next to the 5 minute in the same timechart? Is there some way to fill in the gaps for the extract that runs less frequently?

1 Solution

lguinn2
Legend

What if you added in a span for the timechart itself? You would need to calculate the "5-minute counts" first, though

.. sourcetype=server:sessions OR sourcetype=switch:sessions 
| bin _time span=5m | dedup UserName, _time 
| stats count(serverfield) as ActiveServer count(switchfield) as ActiveSwitch by _time
| timechart span=10m avg(ActiveServer) as ActiveServer, sum(ActiveSwitch) as ActiveSwitch

For the field that has multiple observations per 10-minute time period, take the average. For the field that has only 1 observation, take the sum.

View solution in original post

lguinn2
Legend

What if you added in a span for the timechart itself? You would need to calculate the "5-minute counts" first, though

.. sourcetype=server:sessions OR sourcetype=switch:sessions 
| bin _time span=5m | dedup UserName, _time 
| stats count(serverfield) as ActiveServer count(switchfield) as ActiveSwitch by _time
| timechart span=10m avg(ActiveServer) as ActiveServer, sum(ActiveSwitch) as ActiveSwitch

For the field that has multiple observations per 10-minute time period, take the average. For the field that has only 1 observation, take the sum.

det0n8r
Explorer

Thank you very much, this method did the trick!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...