How do I sum values over time and show it as a graph that I can predict from?
This is something that I’ve tried to achieve on my own but with limited success. It seems that it should be straightforward too.
I have this type of data going back five years, e.g. 52 months, that I’ve concatenated into one file.
TimeStamp Type Size
4/1/2013:12:01:03 ORD 5
4/1/2013:12:04:11 INV 8
4/1/2013:12:05:21 ORD 5
4/1/2013:12:05:33 INV 34
4/1/2013:12:06:30 ORD 20
4/1/2013:12:06:54 INV 13
4/1/2013:12:07:00 ORD 7
4/1/2013:12:34:44 INV 1
4/1/2013:12:39:32 ORD 1
4/1/2013:12:44:28 ORD 5
4/1/2013:12:49:22 INV 4
4/1/2013:12:50:32 ORD 6
4/1/2013:12:55:30 INV 9
4/1/2013:12:59:29 ORD 12...etc
I want to produce a timechart for the sum of the ‘Size’ for each ‘Type’ over the amount of time I have data for. We only need it by month so I edit the ‘TimeStamp’, in advance, to be ‘M/1/201Y::12:00:00’.
I’d then like to use this histogram to ‘predict’ the next few months. If someone can provide the ‘code’ for doing just one ‘Type’, I’d be most grateful. I have almost 20 ‘Types’. I can manage the predicting part.
Rich,
Thank you for persevering.
Yes, I'm sure it's it's me, my data, and not Splunk; no surprise there.
I, too, have put it down to a timestamp problem and so I'll re-jig my data, re-load it, and start again.
As a parting shot, i can produce exactly what I want for events...but not for Size.
I think I'd better think it out again.
Thank you.
Richard aka RexStout.
Rich,
Thank you for persevering.
Yes, I'm sure it's it's me, my data, and not Splunk; no surprise there.
I, too, have put it down to a timestamp problem and so I'll re-jig my data, re-load it, and start again.
As a parting shot, i can produce exactly what I want for events...but not for Size.
I think I'd better think it out again.
Thank you.
Richard aka RexStout.
Maybe this will get you started. There should be no need to edit the timestamp.
<your base search> | timechart span=1mon sum(Size) as Total_Size by Type
Thank you for that, Rich.
As it stands, that still doesn't return anything.
I've got: index=IX Type=ORD | timechart span=1mon sum(Size) as TotalSize
Nothing
Bear in mind that my created timestamp is, for example: 4/1/2013:12:01:03.
Relevant?
But the result of my search shows, for example, _time as 2017-08 and TotalSize as being empty.
It looks like Splunk is not parsing your timestamps correctly or is rejecting them because they're too old. What are your props.conf settings for that sourcetype? Is MAX_DAYS_OLD
set to a value that will accept dates from 2013?