Splunk Search

stats vs timechart

apillai01
New Member

i am getting two different outputs while using stats count( 1hr time interval) and timechart count span=1h. I was using timechart to showcase the trend for the previous hour too.

Highly appreciate your comments

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

In order to show a trend at a granularity of an hour, you should probably be using a smaller span.

This counts 10 pulses per hour, and then calculates how many faults there had been for the prior 60 minutes at the end of that pulse.

 index= sourcetype=* ServiceName="*" OperationName="*" Fault=true FaultCode="XXXXX" 
| bin _time span=6m
| stats count as pulsecount by _time
| streamstats window=10 sum(pulsecount) as hourcount

This counts 10 pulses per hour, and then calculates that hour's simple moving average of the number of faults in each 6-minute pulse.

 index= sourcetype=* ServiceName="*" OperationName="*" Fault=true FaultCode="XXXXX" 
| bin _time span=6m
| stats count as pulsecount by _time
| trendline sma10(pulsecount) as sma10 

For both of the above, you would start with earliest=-3h or so, in order to have an established trend at the -2h point, and then put a where clause at the end to eliminate records that were too old to consider.

View solution in original post

woodcock
Esteemed Legend

The timepicker probably says Last hour which is -60m@m but time chart does not use a snap-to of @m; it uses a snap-to of @h. To make them match, try this:

Your search here earliest=-2h@h latest=-1h@h | stats count

And compare that to this:

Your search here earliest=-2h@h latest=-1h@h | timechar span=1h count

woodcock
Esteemed Legend

Also check out the difference of this with bin:

Your search here earliest=-3h@h latest=-1h@h | bin _time span=1h | stats count
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

In order to show a trend at a granularity of an hour, you should probably be using a smaller span.

This counts 10 pulses per hour, and then calculates how many faults there had been for the prior 60 minutes at the end of that pulse.

 index= sourcetype=* ServiceName="*" OperationName="*" Fault=true FaultCode="XXXXX" 
| bin _time span=6m
| stats count as pulsecount by _time
| streamstats window=10 sum(pulsecount) as hourcount

This counts 10 pulses per hour, and then calculates that hour's simple moving average of the number of faults in each 6-minute pulse.

 index= sourcetype=* ServiceName="*" OperationName="*" Fault=true FaultCode="XXXXX" 
| bin _time span=6m
| stats count as pulsecount by _time
| trendline sma10(pulsecount) as sma10 

For both of the above, you would start with earliest=-3h or so, in order to have an established trend at the -2h point, and then put a where clause at the end to eliminate records that were too old to consider.

aaraneta_splunk
Splunk Employee
Splunk Employee

@apillai01 - Could you provide more information as to what your intended result should be? It is not clear from your question. Please leave a comment below.

In general, your question has a greater chance of being answered by experts in the Answers community when when you provide as much information and context as possible. Thanks.

0 Karma

apillai01
New Member

i am trying to create a dashboard with two views
1. Count of Faults for the current hour
2. Fault trend current vs previous hour

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What is the current search (at least provide some sudo code) and the time range used in both the searches? My guess is the timechart's bucket is different (it takes full hour) than what stats is considering and it's because of time range used.

0 Karma

apillai01
New Member
  1. current search code: index = sourcetype = * ServiceName=""OperationName="" Fault=true FaultCode="XXXXX"|stats count as Total
  2. Trend( compare current hr vs previous hr): index = sourcetype = * ServiceName=""OperationName="" Fault=true FaultCode="XXXXX"|timechart count span=1h

both the case i am using time range as 1 hour

0 Karma

somesoni2
SplunkTrust
SplunkTrust

For Trend, shouldn't you be using time range as 2 hours, one for current hour and one for last hour? Also, when you say current hour, if now is 2:30PM, you want to count 2:00 to 2:30 OR 1:30 to 2:30?

I'm guessing this is what you want but check,

index = sourcetype = ServiceName=""OperationName="*" Fault=true FaultCode="XXXXX" earliest=@h |stats count as Total

index = sourcetype = ServiceName=""OperationName="*" Fault=true FaultCode="XXXXX" earliest=-1h@h |timechart count span=1h
0 Karma

apillai01
New Member

Thanks, it worked!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...