Solved: how to get trend on a field from the logs

ashishv · ‎12-17-2010

Hello i am new to splunk, i have this script that runs every minute and appends a log, it looks like this:

11:05:01@12-17-10       LogName=IntroscopeEnterpriseManager.log PreviousCount=828557  CurrentCount=828559 LineCount=2
11:05:01@12-17-10       LogName=perflog.txt PreviousCount=28919  CurrentCount=28923 LineCount=4
11:06:01@12-17-10       LogName=tessperflog.txt PreviousCount=29174  CurrentCount=29178 LineCount=4
11:06:01@12-17-10       LogName=IntroscopeEnterpriseManager.log PreviousCount=828559  CurrentCount=828598 LineCount=39
11:06:02@12-17-10       LogName=perflog.txt PreviousCount=28923  CurrentCount=28927 LineCount=4

what i want is a create a TREND report on value of LineCount for each Log, there are 3 logs and i want to trend the LineCount by each log\

\thanks Ashish

sideview · ‎12-17-2010

Given what you've said I think you might try this simple search:

sourcetype="<your sourcetype here>" | stats sum(LineCount) by LogName

or if you want to see the counts over time by each log:

sourcetype="<your sourcetype here>" | timechart sum(LineCount) by LogName

What also strikes me is that early on, new users often think they have to write scripts. Sometimes they write a script that parses logfiles and later discover that it's vastly easier to just index the entire log in splunk, get slightly fancier with the splunk search language and throw away their script....

but that's only a suggestion. There can obviously be quite good reasons to go in the direction of custom scripting.

View solution in original post

sideview · ‎12-17-2010

Given what you've said I think you might try this simple search:

sourcetype="<your sourcetype here>" | stats sum(LineCount) by LogName

or if you want to see the counts over time by each log:

sourcetype="<your sourcetype here>" | timechart sum(LineCount) by LogName

What also strikes me is that early on, new users often think they have to write scripts. Sometimes they write a script that parses logfiles and later discover that it's vastly easier to just index the entire log in splunk, get slightly fancier with the splunk search language and throw away their script....

but that's only a suggestion. There can obviously be quite good reasons to go in the direction of custom scripting.

chenlevi21 · ‎11-27-2013

Did you ever get a reply on this?

ashishv · ‎12-17-2010

what i want Splunk to do is draw a trend chart of LineCount by Each LogName, almost similar to how UNIX app does chart for CPU for different Hosts.
so instead of a CPU i want to plot fiedl LineCount... not sure if this help?

thanks
ashish

sideview · ‎12-17-2010

OK. I understand what your script is doing. But I dont think I understand what you want the splunk search to do. Can you update your question with more detail?

ashishv · ‎12-17-2010

HI Nick,
thanks for a quick response; intent of this script is to check the line count of these logs and if there is a deviation of 20% in the line count from now to last value, it creates a new log of last 200 lines from that moment and splunk picks it up.
as i mentioned that i am still new to this whole setup and dont want to consume splunk licenses unnecessarily with logs that are of value only when there is an issue.

Coming back to ur response, i did try that and it doesnt suffice the needs... here's what i was looking:

log1: 5 6 7 8 1 23 100
log2: 5 3 7 8 5 3 45
log2: 3 1 7 324 12 23

how to get trend on a field from the logs

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!