Hi,
I for example want to track a ratio like UsersWithTag1/AllUsers
wher the users with the specified tag are growing over time and of course also all users.
When i use timechart i can eg. calculate the ratio with span=1d for every day extra and follow how this changes.
This would look like
_time | AllUsers | UsersWithTag1 | UsersWithTag1/AllUsers |
01.09.2012 | 50 | 39 | 0,78 |
02.09.2012 | 60 | 46 | 0,77 |
03.09.2012 | 62 | 40 | 0,65 |
04.09.2012 | 52 | 36 | 0,69 |
05.09.2012 | 34 | 28 | 0,82 |
06.09.2012 | 44 | 36 | 0,82 |
07.09.2012 | 92 | 55 | 0,60 |
But what i want is smth where i get daily results for the ratio since the beginning and how this moves. For above example this is
_time | AllUsers | UsersWithTag1 | UsersWithTag1/AllUsers |
01.09.2012 | 50 | 39 | 0,78 |
02.09.2012 | 110 | 85 | 0,77 |
03.09.2012 | 172 | 125 | 0,73 |
04.09.2012 | 224 | 161 | 0,72 |
05.09.2012 | 258 | 189 | 0,73 |
06.09.2012 | 302 | 225 | 0,75 |
07.09.2012 | 394 | 280 | 0,71 |
And does splunk have any possiblity to show an trend resp. indicator arrow in the next right column of UsersWithTag1/AllUsers with green for up und red for down or smth like this?
Thanks
@p_splunk, I think I see what your are trying to do and it can be accomplished by using accum search command. Here a simplifed version which should get you started.
index=_internal | stats count(method) as method, count(message) as message by _time | accum method as accmethod| accum message as accmessage
_time method message accmessage accmethod
1 9/28/12 8:49:01.389 AM 0 2 2 0
2 9/28/12 8:49:04.290 AM 0 0 2 0
3 9/28/12 8:49:04.291 AM 2 0 2 2
4 9/28/12 8:49:04.447 AM 1 0 2 3
5 9/28/12 8:49:04.728 AM 0 1 3 3
6 9/28/12 8:49:04.962 AM 1 0 3 4
7 9/28/12 8:49:04.977 AM 1 0 3 5
8 9/28/12 8:49:04.993 AM 3 0 3 8
9 9/28/12 8:49:05.009 AM 1 0 3 9
10 9/28/12 8:49:05.024 AM 3 0 3 12
11 9/28/12 8:49:05.040 AM 1 0 3 13
12 9/28/12 8:49:05.055 AM 1 0 3 14
Hope this helps.
@p_splunk, I think I see what your are trying to do and it can be accomplished by using accum search command. Here a simplifed version which should get you started.
index=_internal | stats count(method) as method, count(message) as message by _time | accum method as accmethod| accum message as accmessage
_time method message accmessage accmethod
1 9/28/12 8:49:01.389 AM 0 2 2 0
2 9/28/12 8:49:04.290 AM 0 0 2 0
3 9/28/12 8:49:04.291 AM 2 0 2 2
4 9/28/12 8:49:04.447 AM 1 0 2 3
5 9/28/12 8:49:04.728 AM 0 1 3 3
6 9/28/12 8:49:04.962 AM 1 0 3 4
7 9/28/12 8:49:04.977 AM 1 0 3 5
8 9/28/12 8:49:04.993 AM 3 0 3 8
9 9/28/12 8:49:05.009 AM 1 0 3 9
10 9/28/12 8:49:05.024 AM 3 0 3 12
11 9/28/12 8:49:05.040 AM 1 0 3 13
12 9/28/12 8:49:05.055 AM 1 0 3 14
Hope this helps.
thanks, dunno why i didnt think back to accum function. maybe lost in typing weird requests.
thanks