Hi All, need some insight and help.
I have a MQ like objects, information regarding which is forwarded into splunk at every 5mins.
Now events looks something like this:
2017-05-10 09:00.000||queue_name=MQ1||count_rec=100
2017-05-10 09:05.000||queue_name=MQ1||count_rec=110
2017-05-10 09:10.000||queue_name=MQ1||count_rec=110
2017-05-10 09:15.000||queue_name=MQ1||count_rec=130
2017-05-10 09:00.000||queue_name=MQ2||count_rec=30
2017-05-10 09:05.000||queue_name=MQ2||count_rec=60
2017-05-10 09:10.000||queue_name=MQ2||count_rec=100
2017-05-10 09:15.000||queue_name=MQ2||count_rec=100
Events are in revese chron. Order and even the fields are getting extracted. Rec_count is the number of data published to the MQ, this is the only info i could get.
So difference between value in current with prev. Events would give the count of data came in in last 5mins.
Now i am trying to show on timechart the number of records coming to the MQ over a span.
Is it possible, what should be the approach for this?
OK, like this:
your search that gets _time, queue_name and count_rec
| timechart range(count_rec) AS increase_in_this_span BY queue_name
Try this ...
your search that gets _time, queue_name and count_rec
| bin _time span=5m
| stats max(count_rec) as count_rec by queue_name _time
| streamstats current=f last(count_rec) as prev_count by queue_name
| eval new_recs = count_rec - prev_count
| timechart span=5m sum(new_recs) by queue_name
If the records all have _times
that are exactly on the 5 min mark, then the bin
is probably not needed.
As long as _time
is correct (matches what is in the event), order doesn't matter; just do this:
Your Base Search Here | timechart avg(count_rec) BY queue_name
Or perhaps you need sum
or max
instead of avg
and you might need a span=
if you don't like what is automatically selected for you.
Could try, buy each event is the record count, i would need difference between the event and prior record count, in order to get exact number of records for the particular event. Post which i might use first() and then plotbon timechart.
How to get the difference?