- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart - _time subsearch issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to feed several days most busy hour into a weighted score evolution over time,
which I'm running troubles into..
Let's say I the subsearch outputs something like the following into my main search.
(date_month = february AND date_mday = 13 AND date_hour = 20) OR (date_month = february AND date_mday = 14 AND date_hour = 20)
I need to sum some values as components to the final expression, but considering I need the score evolution over time I've added by Platform date_month date_mday date_hour so I don't lose the _time attributes.
My current expression,
(...)
| eval OptimumMem = case(
Platform=="SCPs" AND MemUsedPct <= 60, 1,
Platform=="DSCPs" AND MemUsedPct <= 75, 1,
(...)
Platform=="MGRs" AND MemUsedPct <= 60, 1
)
| eval AcceptableMem = case(
Platform=="SCPs" AND MemUsedPct > 60 AND MemUsedPct <= 75, 1,
Platform=="DSCPs" AND MemUsedPct > 75 AND MemUsedPct <= 90, 1,
(...)
Platform=="MGRs" AND MemUsedPct > 60 AND MemUsedPct <= 75, 1
)
| stats count(MemUsedPct) as TotalEvents sum(OptimumMem) as TotalOptimumMem sum(AcceptableMem) as TotalAcceptableMem by Platform date_month date_mday date_hour
| fillnull
| eval ScpMemApdex=if(Platform="SCPs",(TotalOptimumMem + TotalAcceptableMem/2) / TotalEvents,0)
| eval DscpMemApdex=if(Platform="DSCPs",(TotalOptimumMem + TotalAcceptableMem/2) / TotalEvents,0)
(...)
| eval MgrMemApdex=if(Platform="MGRs",(TotalOptimumMem + TotalAcceptableMem/2) / TotalEvents,0)
| eval ApdexScore=round(100*(0.17*ScpMemApdex + 0.17*DscpMemApdex + 0.4*SdpMemApdex + 0.15*SmpMemApdex + 0.07*BitMemApdex + 0.04*MgrMemApdex), 2)
is returning,
Platform date_month date_mday date_hour TotalEvents TotalOptimumMem TotalAcceptableMem ApdexScore DscpMemApdex MgrMemApdex ScpMemApdex
DSCPs february 13 20 48 48 0 **17.00** 1 0 0
MGRs february 13 20 36 36 0 **4.00** 0 1 0
How should I change it so I don't get No results found when adding
| timechart sum(ApdexScore)
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to reconstruct _time. If there's no _time field, timechart will not work
so do something like this before the timechart :
... | eval _time=strptime(date_hour." ".date_mday." ".date_month,"%H %d %B")
Then add :
| timechart sum(ApdexScore)
You may actually want to include the year too ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, no. Those ** were just to stand out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you bin your original events into hours you could group by _time instead of those three, hence keeping the actual _time all the way through.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like bucket _time span=1h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Martin, how does the bin expression before stats look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was thinking of binning by hour after you determine the day's value, right before the final stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Martin, I started using that approach, the issue with it is that forcing _time, would return the same value across all the main search timestamps, which would run me into trouble summing them in the timechart expression (whereas I need to compute a single daily value - representative of the busiest hour)
_time Platform TotalEvents TotalOptimumMem TotalAcceptableMem DscpMemApdex ScpMemApdex
13/02/2013 20:00:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:05:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:10:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:15:00.000 DSCPs 4 4 0 1 0
13/02/2013 20:20:00.000 DSCPs 4 4 0 1 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to reconstruct _time. If there's no _time field, timechart will not work
so do something like this before the timechart :
... | eval _time=strptime(date_hour." ".date_mday." ".date_month,"%H %d %B")
Then add :
| timechart sum(ApdexScore)
You may actually want to include the year too ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Flawless !
Thank you jonuwz, really.
I was getting trouble wrapping my head over what was the culprit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the ** on the ApdexScore part of the field value?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
