Splunk Search

Calculation of area of a graph

nebel
Communicator

Hi there,

today I have a special question. I am not sure how to realise this.
I have on the one hand a lot of performance values, like 20, 13, 15. On the other hand I have the time stamps for those performance values. It mean, I can create easily a graph. No I am adding a extra line, called recommendation of 10.

Now we have a graph and a line which is the treshold line.

The idea is now, to calculate the area which is higher than the recommodation. I already found the mathematic phrase but I think there is maybe another way to realise this. With a mathematic phare it is so complex...

Could you please advise me how I can realise this? Any kind of ideas are more than welcome.

Thank you very much in advance

Regards

Tags (3)
0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Calculating area under a curve normally requires calculus and integration to properly calculate. However, you can try and approximate it. What I would do, since you have each of the values of the area points, you can take the points with values higher than your threshold, subtract the threshold value (to get the value above the line) and sum them over the _time of your graph. A search may go something like this.

your_search|eval threshold = 10|where perf_value > threshold|eval diff_threshold = perf_value - threshold|stats sum(diff_threshold) as "Total 'Area' Above the Line"

View solution in original post

0 Karma

nebel
Communicator

thank you for that.
Do you think it is more exactly with your idea instead of calculate the area?

Thanks

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Calculating area under a curve normally requires calculus and integration to properly calculate. However, you can try and approximate it. What I would do, since you have each of the values of the area points, you can take the points with values higher than your threshold, subtract the threshold value (to get the value above the line) and sum them over the _time of your graph. A search may go something like this.

your_search|eval threshold = 10|where perf_value > threshold|eval diff_threshold = perf_value - threshold|stats sum(diff_threshold) as "Total 'Area' Above the Line"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...