- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a timechart that takes the remainder...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following metrics:
date:01 yada yada yada total 80
date:02 yada yada yada total 120
date:03 yada yada yada total 50
date:04 yada yada yada total 110
date:05 yada yada yada total 40
I need a timechart that will take the remainder of the total (anything over 100) and add it to the total of the previous minute. e.g.
should end up looking like so:
date:01 yada yada yada total 100
date:02 yada yada yada total 100
date:03 yada yada yada total 60
date:04 yada yada yada total 100
date:05 yada yada yada total 40
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extending the run anywhere example by @DalJeanis
| gentimes start="03/01/2017:00:00:00" end="03/15/2017:00:00:00" increment=1d
| eval _time = starttime
| eval daytrans = 25+random() % 140
| table _time daytrans
Following query using streamstats should work adjustedtrans is the field that has required values (however, this will do only one time adjustment. As, after adding to the previous total, total for that timeframe might cross 100):
| streamstats current=f window=1 values(daytrans) as prevtrans
| reverse
| eval adjustedtrans=if(prevtrans>100, prevtrans-100 + daytrans,daytrans)
| table _time daytrans prevtrans adjustedtrans
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extending the run anywhere example by @DalJeanis
| gentimes start="03/01/2017:00:00:00" end="03/15/2017:00:00:00" increment=1d
| eval _time = starttime
| eval daytrans = 25+random() % 140
| table _time daytrans
Following query using streamstats should work adjustedtrans is the field that has required values (however, this will do only one time adjustment. As, after adding to the previous total, total for that timeframe might cross 100):
| streamstats current=f window=1 values(daytrans) as prevtrans
| reverse
| eval adjustedtrans=if(prevtrans>100, prevtrans-100 + daytrans,daytrans)
| table _time daytrans prevtrans adjustedtrans
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have an elegant solution yet, but for anyone who wants to take a stab at it, here's some run-anywhere code that mocks up test data.
| gentimes start="03/01/2017:00:00:00" end="03/15/2017:00:00:00" increment=1d
| eval _time = starttime
| eval daytrans = 25+random() % 140
| table _time daytrans
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jfraiberg ... What if after adjusting the total the previous minute total goes above 100? Does it need to be adjusted again?
Also if you can provide a context around purpose of this or your search query and/or mocked up data/fields that will also be useful.
| makeresults | eval message= "Happy Splunking!!!"
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
