Re: Plot step function to display state change of ...

rakes568 · ‎07-13-2017

We have a list of machines in our system with their state change as On or Off along with timestamp.

 2017-07-11 12:39:01    M1    Up
 2017-07-11 12:25:39    M2    Down
 2017-07-11 10:58:27    M1    Down
 2017-07-11 10:44:32    M3    Down
 2017-07-11 10:27:33    M3    Up
 2017-07-11 09:47:52    M3    Down

I want to plot a step function of State change for all machines based on timestamp. I tried this query, but this just connects Up/Down states with slant lines, instead of creating a step function.

mysearch| eval State=if(state="Up",1,0) | chart max(State) as StateChange by _time,machine

I am using linechart for visualization. So can we create a step function visualization? Also is there a way to display StateChange as Up/Down instead of 1/0 in visualization?

woodcock · ‎07-13-2017

I guess that you are going to have to figure out your own visualization answer but this search should get you the tabular data that you need:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S") 
| eval State=if(state="Up",1,0) 
| sort 0 _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart latest(State) AS StateChange BY _time machine
| filldown M*
| fillnull value="FixMeLater"
| untable _time machine StateChange
| eventstats first(State) AS firstState
| eval firstState=if((firstState=1), "0", "1")
| eval StateChange=if((StateChange="FixMeLater"), firstState, StateChange)
| xyseries _time machine StateChange

hegdep10 · ‎06-30-2020

@rakes568 I have the exact same requirement as you have mentioned in the very beginning of this post. I tried the last solution posted for this post but that's not what I'm looking for. In case you found a solution for this problem it will be great if you share the solution or the approach.

woodcock · ‎07-13-2017

If you mean that you would like a "square wave", then you should just select column chart visualization and set the Y-axis value for min to 0 and max to 1. You can do something like this:

| makeresults 
| eval raw="2017-07-11 12:39:01,M1,Up::2017-07-11 12:25:39,M2,Down::2017-07-11 10:58:27,M1,Down::2017-07-11 10:44:32,M3,Down::2017-07-11 10:27:33,M3,Up::2017-07-11 09:47:52,M3,Down" 
| makemv delim="::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "(?<_time>[^,]+),(?<machine>[^,]+),(?<state>[^,]+)$" 
| eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval State=if(state="Up",1,0) 
| timechart latest(State) AS StateChange BY machine 
| reverse 
| filldown M*

rakes568 · ‎07-13-2017

I need exact timestamp, that's why I used chart instead of timchart. How will column chart help? It displays a bunch of bars with value of 1, and doen't make any sense.

Plot step function to display state change of machines based on timestamp?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases