Splunk Search

How do I sum values over time and show it as a graph that I can predict from?

RexStout
Explorer

How do I sum values over time and show it as a graph that I can predict from?
This is something that I’ve tried to achieve on my own but with limited success. It seems that it should be straightforward too.
I have this type of data going back five years, e.g. 52 months, that I’ve concatenated into one file.

TimeStamp Type Size
4/1/2013:12:01:03 ORD 5
4/1/2013:12:04:11 INV 8
4/1/2013:12:05:21 ORD 5
4/1/2013:12:05:33 INV 34
4/1/2013:12:06:30 ORD 20
4/1/2013:12:06:54 INV 13
4/1/2013:12:07:00 ORD 7
4/1/2013:12:34:44 INV 1
4/1/2013:12:39:32 ORD 1
4/1/2013:12:44:28 ORD 5
4/1/2013:12:49:22 INV 4
4/1/2013:12:50:32 ORD 6
4/1/2013:12:55:30 INV 9
4/1/2013:12:59:29 ORD 12...etc

I want to produce a timechart for the sum of the ‘Size’ for each ‘Type’ over the amount of time I have data for. We only need it by month so I edit the ‘TimeStamp’, in advance, to be ‘M/1/201Y::12:00:00’.

I’d then like to use this histogram to ‘predict’ the next few months. If someone can provide the ‘code’ for doing just one ‘Type’, I’d be most grateful. I have almost 20 ‘Types’. I can manage the predicting part.

0 Karma
1 Solution

RexStout
Explorer

Rich,

Thank you for persevering.
Yes, I'm sure it's it's me, my data, and not Splunk; no surprise there.

I, too, have put it down to a timestamp problem and so I'll re-jig my data, re-load it, and start again.

As a parting shot, i can produce exactly what I want for events...but not for Size.

I think I'd better think it out again.

Thank you.

Richard aka RexStout.

View solution in original post

0 Karma

RexStout
Explorer

Rich,

Thank you for persevering.
Yes, I'm sure it's it's me, my data, and not Splunk; no surprise there.

I, too, have put it down to a timestamp problem and so I'll re-jig my data, re-load it, and start again.

As a parting shot, i can produce exactly what I want for events...but not for Size.

I think I'd better think it out again.

Thank you.

Richard aka RexStout.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Maybe this will get you started. There should be no need to edit the timestamp.

<your base search> | timechart span=1mon sum(Size) as Total_Size by Type
---
If this reply helps you, Karma would be appreciated.
0 Karma

RexStout
Explorer

Thank you for that, Rich.

As it stands, that still doesn't return anything.

I've got: index=IX Type=ORD | timechart span=1mon sum(Size) as TotalSize
Nothing

Bear in mind that my created timestamp is, for example: 4/1/2013:12:01:03.
Relevant?

But the result of my search shows, for example, _time as 2017-08 and TotalSize as being empty.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It looks like Splunk is not parsing your timestamps correctly or is rejecting them because they're too old. What are your props.conf settings for that sourcetype? Is MAX_DAYS_OLD set to a value that will accept dates from 2013?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...