Problem: Creating a line chart from cumulative counter (i.e. snmp ifOutOctets or Windows TCP counters) for multiple hosts on a single chart. This counters can also reset zero an point.
I figured I'd use autoregress which was easy enough and works great for one host by has problem with multiple hosts
Search: index="someindex" sourcetype="perfmon" host="SERVER01" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets
Results:
_time resets
8/8/12 5:45:00.000 PM
8/8/12 5:40:00.000 PM 49.000000
8/8/12 5:35:00.000 PM 45.200000
8/8/12 5:30:00.000 PM 49.600000
8/8/12 5:25:00.000 PM 47.800000
8/8/12 5:20:00.000 PM 46.400000
8/8/12 5:15:00.000 PM 47.800000
Now multiple hosts the results are incorrect.
Search:index="someindex" sourcetype="perfmon" host="SERVER*" | reverse | autoregress tcpconreset as pretcpconreset | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | timechart span=5m avg(resets) as resets by host
Results:
_time SERVER01 SERVER02 SERVER03
8/8/12 5:45:00.000 PM
8/8/12 5:40:00.000 PM 67081.666667 66770.750000 665843.250000
8/8/12 5:35:00.000 PM 67081.000000 66771.000000 665615.000000
8/8/12 5:30:00.000 PM 67080.000000 66771.000000 665356.600000
8/8/12 5:25:00.000 PM 67080.000000 66771.000000 665112.200000
8/8/12 5:20:00.000 PM 67080.000000 66771.000000 303296.000000
8/8/12 5:15:00.000 PM 67080.200000 66771.200000 62203.000000
I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.
Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host
Results:
_time SERVER01 SERVER02 SERVER03
8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000
8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000
8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000
8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000
8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000
I hope this all makes sense. Any suggestion would be great. Thanks.
I solved my problem by sort on the host field, adding autoregress for the host field, and eval if the previous host field match current.
Search:index="someindex" sourcetype="perfmon" host="SERVER*" | sort host| reverse | autoregress tcpconreset as pretcpconreset | autoregress host as prehost | eval n = (tcpconreset-pretcpconreset) | eval resets = if(n >= 0, n,null()) | eval resets = if(host == prehost, resets, null()) | reverse | timechart span=5m avg(resets) by host
Results:
_time SERVER01 SERVER02 SERVER03
8/8/12 5:00:00.000 PM 57.000000 60.000000 51.000000
8/8/12 5:05:00.000 PM 56.400000 55.200000 57.400000
8/8/12 5:10:00.000 PM 50.000000 55.500000 55.000000
8/8/12 5:15:00.000 PM 48.400000 51.200000 47.800000
8/8/12 5:20:00.000 PM 48.200000 50.400000 46.400000
I hope this all makes sense. Any suggestion would be great. Thanks.
This seems to be working.