Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare Minute by Minute Timechart "Today" vs Summary Index Timechart Average

bcarr12
Path Finder
‎08-15-2017 05:08 AM

I currently have a timechart running every minute each day to show a given field value as it increases through the day. The data is being displayed as an area chart. If possible, I'd like the add an overlay to the chart that will show the "average" value each minute over a larger time period (yesterday, or last week for instance). I already have the "historical" timechart data being saved to a summary index, I'm just wondering what the best way would be to incorporate it.

Right now, the search is relatively simple:
"my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | timechart span=1m count

And I am running this same search, without the earliest and latest filters and writing the results to summary index. So it is just a matter of taking today's count by minute and comparing to the summary index count by minute so get a baseline of today vs prior days to make it easier to see if it is "normal" or not.

Reply

sbbadri
Motivator
‎08-16-2017 10:59 AM

may be you can try with timewrap command

for e.g.,

... ... | timechart count span=1d | timewrap 1week

0 Karma
Reply

DalJeanis
Legend
‎08-15-2017 06:39 AM

I'd probably approach this like so...

Once a day, between 12p and 6a, run an extract from the summary index to a csv, with each projected minute of the new day calculated. I would probably do three numbers - bottom edge, average, top edge - and decide the edges based on 2-3 standard deviations. For simplicity of the actual presentation, I would put each number on its own individual event record with three fields, _time, series and eventcount. Since there are only 720 minutes in your 12 hour period, this would only be 2160 records, so it's fairly small.

Then your presentation is this...

"my search text" earliest=@d+6h latest=@d+18h source="mylog.log" 
| bin _time span=1m
| stats count as eventcount by _time
| eval series="today" 
| append [|inputcsv mydailycsv.csv |  table _time series eventcount]
| timechart span=1m sum(eventcount) as count by series
0 Karma
Reply

bcarr12
Path Finder
‎08-16-2017 10:27 AM

Thank you for your advice! Let me give this a shot and see how close it gets me to what I am looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...