Splunk Search

Weirdness with timechart, rolling averages, all I really want are the actual values.

mikeely
Path Finder

I've got a file being spooled out from a database one row at a time, couple of example lines:

10-01-12:02:50:02,         0,         0,         3,         6,       103,         2
10-01-12:02:51:01,         0,         0,         3,         6,       103,         2

Using the IFX I was able to get the columns parsed correctly and run against a custom event type which is just the name of the file the values are spooled out to.

What I need is to get a timechart to display the values of each column in a stacked area graph, excluding the second to last ("Normal") column. Thus far, the closest I've come is a rolling average of same:

eventtype="CustomEventType" | timechart avg(Code_Red) AS "Code Red" avg(Urgent) AS "Urgent" avg(Very_High) AS "Very High" avg(High) AS "High" avg(Low) AS "Low"

There are a couple problems with this: First, I don't want the averages of the columns, I want their values. Second, the average has mysteriously stopped working:

Average just dies...

So how do I get past this rolling average hack to the real values? And why did the average just stop working?

Tags (1)
0 Karma
1 Solution

Ayn
Legend

First, some explanation on how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 of these events occurring within 1 minute. Splunk needs to know how to give you ONE value for "Value", even though there are 3 values of each. So, when you run timechart without any timespan explicitly defined, Splunk sets a timespan and then performs the chosen statistical operation on the field values found in all the events for that interval. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

There's also a second way to do this that might be better in your case, which is to produce a table containing timestamps and values yourself and then feed them into the chart.

... | table _time "Code Red" "Urgent" "Very High" "High" "Low"

View solution in original post

0 Karma

Ayn
Legend

First, some explanation on how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 of these events occurring within 1 minute. Splunk needs to know how to give you ONE value for "Value", even though there are 3 values of each. So, when you run timechart without any timespan explicitly defined, Splunk sets a timespan and then performs the chosen statistical operation on the field values found in all the events for that interval. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

There's also a second way to do this that might be better in your case, which is to produce a table containing timestamps and values yourself and then feed them into the chart.

... | table _time "Code Red" "Urgent" "Very High" "High" "Low"
0 Karma

mikeely
Path Finder

Thanks, that looks like the way forward. Now I have more info also on the file not being read, but it's different enough to warrant a different thread.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...