Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

show proper rate of a continually increasing value

dominiquevocat
SplunkTrust
SplunkTrust
‎09-24-2012 07:18 AM

I have a script which collects the ldap stats of a series of ldap hosts and forward the values to splunk.

Now naturally the vaules are increasing - i would want to chart the delta values in a timechart.

How do i go about to achieve this?

I tried something like " | delta simpleAuthBinds AS deltaSimpleAuthBinds | search deltaSimpleAuthBinds>0 | timechart min(deltaSimpleAuthBinds) by dsaName " with min max etc but i only want the value in deltaSimpleAuthBinds (supposing i use "delta" correctly).

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎09-25-2012 04:08 AM

Ok, i ended up defining a macro "plotseries(2)"

Macro:
sort $arg1$ | reverse | autoregress $arg1$ as $arg1$ | autoregress $arg2$ as _$arg2$ P=1 | eval delta=($arg2$-$arg2$) | eval delta = if($arg1$ == _$arg1$, delta, null()) | timechart max(delta) by $arg1$ span=5m

so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)

the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.

hope this helps someone - also open for improvement.

View solution in original post

Reply
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎09-25-2012 04:08 AM

Ok, i ended up defining a macro "plotseries(2)"

Macro:
sort $arg1$ | reverse | autoregress $arg1$ as $arg1$ | autoregress $arg2$ as _$arg2$ P=1 | eval delta=($arg2$-$arg2$) | eval delta = if($arg1$ == _$arg1$, delta, null()) | timechart max(delta) by $arg1$ span=5m

so i would do something like
host="172.29.200.15" "[STATS]" | plotseries(dsaName,wholeSubtreeSearchOps)

the first Argument is for the serialization and servers also in the chart, the second is the metric i want to plot.

hope this helps someone - also open for improvement.

Reply
Solved! Jump to solution

bmacias84
Champion
‎09-24-2012 08:20 AM

I posted this a while a go looking for input. My method uses the autoregress funtion and I'd be happy to walk you through it.

http://splunk-base.splunk.com/answers/55484/line-chart-cumulative-counters-by-host

Reply
Solved! Jump to solution

bmacias84
Champion
‎09-26-2012 02:41 PM

@dominiquevocat, I normal give a sample table output of the data include 10-15 rows

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎09-25-2012 01:44 AM

@bmacias84: right now i use a area chart in stacked mode. The hickup came from a spike in one of the areas resulting in white space in the stacked chart :-). I think it would be sufficient to sort the sources by their relative volume. I currently do a one week overview of the load of the ldap servers. It is mostly to get the hang of it.

As for values, can i send them to you somehow?

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎09-24-2012 09:12 AM

@dominiquevocat, So what kinda of chart are you trying to build (stacked bar or line), what field to do you intend to group by, is this a real-time dashboard (using post-process changes the search a little), one time report, or ad-hoc search? Can you provide a few lines of the _raw? I'd be happy to try and help if I can. Cheers

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎09-24-2012 09:04 AM

um, it looks quite odd... the chart kinda breaks 🙂 in stacked mode. Will have to play with it a little and lets the data flow.

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎09-24-2012 08:14 AM

yes, it is essentially a table of cumulative counters (all the various stats elements just count up and i gather them to chart and report and alert in splunk)
would love to see your example.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎09-24-2012 08:11 AM

So are you dealing with an cumulative counter? If so I may have an example for you.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...