- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart of event with duration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart of event with duration
I try make nice timechart how many objects are unavailable in specific time.
In my log I have start and end events from every outages and they are binded nicely together. Also I have calculated how long these outages are (in minute accuracy).
When I try to drad timechart with :
index=alarms event=add OR event=clear
| transaction event_id startswith=(event=add) endswith=(event =="Clear") keepevicted=true
| timechart dc(event_id)
I've got line stay up whole day. If I add span=15min (the accuracy what I want), I got only small spikes(15min), even those outages are 4 or 5 hours long.
Analog:
Restaurant have log on every seat when customer sit down and stands up. Every customer uses different time when they are eating. I want know how many customer we have in specific 15min timewindow in graph.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this kind of questions there is no need of sampling every second.
If you want to measure the concurrency of elements with a duration you should do:
* Align the buckets to a periods that you like
|eval bucket_time_size=1800
|eval start_bucket_time=START_TIME-(START_TIME%bucket_time_size)
|eval end_bucket_time=END_TIME-(END_TIME%bucket_time_size)
Create the ranges in a variable of the events for the bucket size you defined
|eval bucket_start=mvrange(start_bucket_time,end_bucket_time,bucket_time_size)
Expand the variable (and the events)
|mvexpand bucket_start
Assign the _time to the new expanded field.
|eval _time=bucket_start
With that you will have what are the concurrent elements in a certain frame of time. Calculating how much is really used in each bucket will be like the calculation of in the previous answer of duration_bucket.
More detail explanation in: http://answers.splunk.com/answers/223129/how-to-distribute-an-event-among-many-time-buckets.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@warm79 , does it solves this to you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whenever I see questions about keeping track of state like this I immediately think of this excellent blog post covering the subject: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well what I understand of that blog was "you should check status of your monitored item every second, if you want good occupacy report". I can't agree more that it is most reliable way to do that. I am not sure how vice it is when I have 1000+ items to look after.
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
