Solved: show proper rate of a continually increasing value

dominiquevocat · ‎09-24-2012

I have a script which collects the ldap stats of a series of ldap hosts and forward the values to splunk.

Now naturally the vaules are increasing - i would want to chart the delta values in a timechart.

How do i go about to achieve this?

I tried something like " | delta simpleAuthBinds AS deltaSimpleAuthBinds | search deltaSimpleAuthBinds>0 | timechart min(deltaSimpleAuthBinds) by dsaName " with min max etc but i only want the value in deltaSimpleAuthBinds (supposing i use "delta" correctly).

dominiquevocat · ‎09-25-2012

Ok, i ended up defining a macro "plotseries(2)"

so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)

the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.

hope this helps someone - also open for improvement.

View solution in original post

dominiquevocat · ‎09-25-2012

Ok, i ended up defining a macro "plotseries(2)"

so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)

the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.

hope this helps someone - also open for improvement.

bmacias84 · ‎09-24-2012

I posted this a while a go looking for input. My method uses the autoregress funtion and I'd be happy to walk you through it.

http://splunk-base.splunk.com/answers/55484/line-chart-cumulative-counters-by-host

bmacias84 · ‎09-26-2012

@dominiquevocat, I normal give a sample table output of the data include 10-15 rows

dominiquevocat · ‎09-25-2012

@bmacias84: right now i use a area chart in stacked mode. The hickup came from a spike in one of the areas resulting in white space in the stacked chart :-). I think it would be sufficient to sort the sources by their relative volume. I currently do a one week overview of the load of the ldap servers. It is mostly to get the hang of it.

As for values, can i send them to you somehow?

bmacias84 · ‎09-24-2012

@dominiquevocat, So what kinda of chart are you trying to build (stacked bar or line), what field to do you intend to group by, is this a real-time dashboard (using post-process changes the search a little), one time report, or ad-hoc search? Can you provide a few lines of the _raw? I'd be happy to try and help if I can. Cheers

dominiquevocat · ‎09-24-2012

um, it looks quite odd... the chart kinda breaks 🙂 in stacked mode. Will have to play with it a little and lets the data flow.

dominiquevocat · ‎09-24-2012

yes, it is essentially a table of cumulative counters (all the various stats elements just count up and i gather them to chart and report and alert in splunk)
would love to see your example.

bmacias84 · ‎09-24-2012

So are you dealing with an cumulative counter? If so I may have an example for you.

show proper rate of a continually increasing value

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...