Solved: How do I create and display a trend of the 10 larg...

treadyho · ‎10-07-2015

I am setting up some trending. We currently collect stats on the largest tables and load them into Splunk. I am able to retrieve the 10 largest tables with the following search:

 sort - data_object_p_size | head 10 |  eval TableName= tabschema."-". tabname | table TableName, data_object_p_size

I would like to use the results from the search to include the table size over the last 90 days so I can gather the trend. Basically, I would like something like:

TableName, Current Size, Size 30 days ago, Size 60 days ago, Size 90 days ago, Monthly growth

Could someone point me in the direction of where to get started? Any help is greatly appreciated.

s2_splunk · ‎10-07-2015

There are multiple approaches you could take, but for a general discussion on how to combine search results from two (or more) time periods in one report, I would start here. You can extend this to support multiple time periods.

If your data is such that you have one event per day, you can probably just use appendcols to retrieve your top10 values for 30,60,90 days.

View solution in original post

s2_splunk · ‎10-07-2015

There are multiple approaches you could take, but for a general discussion on how to combine search results from two (or more) time periods in one report, I would start here. You can extend this to support multiple time periods.

If your data is such that you have one event per day, you can probably just use appendcols to retrieve your top10 values for 30,60,90 days.

treadyho · ‎10-09-2015

Ended up doing join, thanks for the help

How do I create and display a trend of the 10 largest database tables returned in my search results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life