Splunk Search

Track growth on new items within a time range using a timechart

clintla
Contributor

alt text

I've tried various attempts at this with no joy. I'm simply trying to create a chart where I can specify w/ the time picker a time range & I can track growth of 1000 or more VMs.

If a VM was at the start and end of the time range, it works fantastic.

The problem is per the screenshot where if a new VM is created (this one created on 11/16) & you compare earliest w/ latest, it doesnt take in consideration that the beginning of the time picker (11/5) that the VM was not present & the capacity used is ZERO (0).

If I use the time picker to choose a range of 11/5 through 11/20, All I can get is a growth of (-84) but the growth should show 13504 because it started with 0 on 11/5

Is there a simple solution for this? I plan on removing just searching for VM1 & want to be able to compare all our VMs to see what VMs grew/shrank the most over whatever time period (using the time picker) I choose.

Tags (2)
0 Karma

woodcock
Esteemed Legend

You can use the accum command with bin to build the bits that you need:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum

0 Karma

clintla
Contributor

But if the server didnt exist in the beginning of the time frame & you ping for the earliest value of a VM.. even if you use accum.. the first value will still not be 0 right? All accum does is take existing values.. the problem is the VM doesnt exist at the beginning of the selected time so its just going to have no values & it will still chose the first value which is not 0 & therefore incorrect.. right?

0 Karma

woodcock
Esteemed Legend

This is the Sentinel Search problem discussed (with solution) here:
https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf

0 Karma

clintla
Contributor

How does this create 0's? I have a lookup (YearVM) that creates a list of all VM's existing for a year (which Is what I think you are doing ad-hoc for the append command per below)

Let’s use our lookup to add in the missing items
sourcetype=access_combined action=purchase
| stats sum(price) as revenue by productID
| inputlookup append=true productIDs
| chart sum(revenue) as revenue by productID

When I try it on a "Year to Date" on a VM that was created in July it simply lists all the values, no 0's.

| lookup YearVM NAME1 as name OUTPUT NAME1 as lookupname
| stats values(disk_space_used) as Start by lookupname
| chart min(Start) by lookupname

lookupname min(Start)
vm1 3

vm1 should have a minimum of 0 since Jan 1, it was not created yet.

0 Karma

dindu
Contributor

Hi ,

Could you please try the below solution.
It is also recommended to look into "trendline" command based on your requirement.

Please try the below option and let us know.

 |your_search
 |table _time,disk_space_used,name
 |fillnull value=0 disk_space_used
 |timechart span=1d values(disk_space_used) AS CapacityUsed BY name
0 Karma

clintla
Contributor

when you table it like that.. it drops all the zeros (0s)... same problem I've run into with various attempts.

Its like when you use fillnull that they are all fake 0's.

but I'd like a chart that outputs for time picker ranges from 11/5 to 11/20
VM, capacity growth
vm1 13389

0 Karma

clintla
Contributor
| table _time,disk_space_used,name
| fillnull value=0 disk_space_used
| timechart span=1d values(disk_space_used) AS Capacity BY name

Output

_time   vm1

1 2019-11-05

2 2019-11-06

3 2019-11-07

4 2019-11-08

5 2019-11-09

6 2019-11-10

7 2019-11-11

8 2019-11-12

9 2019-11-13

10 2019-11-14

11 2019-11-15

12 2019-11-16 13588
13 2019-11-17 13618
14 2019-11-18 13622
15 2019-11-19 13428
16 2019-11-20 13389
17 2019-11-21 13457
18 2019-11-22 13478

0 Karma

clintla
Contributor

When I try this
| table _time,disk_space_used,name
| timechart span=1d values(name), values(disk_space_used) AS Capacity
| fillnull value=0 Capacity

The problem is that the name isnt continued.. maybe thats why it never assigned a prevalue of 0

5 2019-11-09 0
6 2019-11-10 0
7 2019-11-11 0
8 2019-11-12 0
9 2019-11-13 0
10 2019-11-14 0
11 2019-11-15 0
12 2019-11-16 vm1 13588
13 2019-11-17 vm1 13618
14 2019-11-18 vm1 13622
15 2019-11-19 vm1 13428
16 2019-11-20 vm1 13389
17 2019-11-21 vm1 13457
18 2019-11-22 vm1 13478
19 2019-11-23 vm1 13519
20 2019-11-24 vm1 13504
21 2019-11-25 vm1 13505

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...