Splunk Search

How do i do a timechart -like resulting, but want the concerned data growing from a fixed startime

p_splunk
Engager

Hi,

I for example want to track a ratio like UsersWithTag1/AllUsers

wher the users with the specified tag are growing over time and of course also all users.

When i use timechart i can eg. calculate the ratio with span=1d for every day extra and follow how this changes.
This would look like

_time AllUsers UsersWithTag1 UsersWithTag1/AllUsers
01.09.2012 50 39 0,78
02.09.2012 60 46 0,77
03.09.2012 62 40 0,65
04.09.2012 52 36 0,69
05.09.2012 34 28 0,82
06.09.2012 44 36 0,82
07.09.2012 92 55 0,60


But what i want is smth where i get daily results for the ratio since the beginning and how this moves. For above example this is

_time AllUsers UsersWithTag1 UsersWithTag1/AllUsers
01.09.2012 50 39 0,78
02.09.2012 110 85 0,77
03.09.2012 172 125 0,73
04.09.2012 224 161 0,72
05.09.2012 258 189 0,73
06.09.2012 302 225 0,75
07.09.2012 394 280 0,71




And does splunk have any possiblity to show an trend resp. indicator arrow in the next right column of UsersWithTag1/AllUsers with green for up und red for down or smth like this?

Thanks

Tags (3)
0 Karma
1 Solution

bmacias84
Champion

@p_splunk, I think I see what your are trying to do and it can be accomplished by using accum search command. Here a simplifed version which should get you started.


index=_internal | stats count(method) as method, count(message) as message by _time | accum method as accmethod| accum message as accmessage


_time method message accmessage accmethod
1 9/28/12 8:49:01.389 AM 0 2 2 0
2 9/28/12 8:49:04.290 AM 0 0 2 0
3 9/28/12 8:49:04.291 AM 2 0 2 2
4 9/28/12 8:49:04.447 AM 1 0 2 3
5 9/28/12 8:49:04.728 AM 0 1 3 3
6 9/28/12 8:49:04.962 AM 1 0 3 4
7 9/28/12 8:49:04.977 AM 1 0 3 5
8 9/28/12 8:49:04.993 AM 3 0 3 8
9 9/28/12 8:49:05.009 AM 1 0 3 9
10 9/28/12 8:49:05.024 AM 3 0 3 12
11 9/28/12 8:49:05.040 AM 1 0 3 13
12 9/28/12 8:49:05.055 AM 1 0 3 14

Hope this helps.

View solution in original post

0 Karma

bmacias84
Champion

@p_splunk, I think I see what your are trying to do and it can be accomplished by using accum search command. Here a simplifed version which should get you started.


index=_internal | stats count(method) as method, count(message) as message by _time | accum method as accmethod| accum message as accmessage


_time method message accmessage accmethod
1 9/28/12 8:49:01.389 AM 0 2 2 0
2 9/28/12 8:49:04.290 AM 0 0 2 0
3 9/28/12 8:49:04.291 AM 2 0 2 2
4 9/28/12 8:49:04.447 AM 1 0 2 3
5 9/28/12 8:49:04.728 AM 0 1 3 3
6 9/28/12 8:49:04.962 AM 1 0 3 4
7 9/28/12 8:49:04.977 AM 1 0 3 5
8 9/28/12 8:49:04.993 AM 3 0 3 8
9 9/28/12 8:49:05.009 AM 1 0 3 9
10 9/28/12 8:49:05.024 AM 3 0 3 12
11 9/28/12 8:49:05.040 AM 1 0 3 13
12 9/28/12 8:49:05.055 AM 1 0 3 14

Hope this helps.

0 Karma

p_splunk
Engager

thanks, dunno why i didnt think back to accum function. maybe lost in typing weird requests.
thanks

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...