Refine your search:

Display calculated values in a timechart

1
1

We have data in the summary index that counts information by various categories. For the purposes of presenting the problem we collect information in 15-minute buckets, and each event includes HostName, HostType, and count which is the number of occurrences of the HostName, HostType combination in that bucket. So a sample event would be

08:15:00 ... HostName="Alpha" HostType="foo" count=47 ...

HostNames can be any of a variety of Strings, and HostType can be either "foo" or "bar". I am trying to write a search that plots the percentage of "foo" in each bucket using a timechart. So far we have 

index=summary 
| bucket span=15m _time 
| eval NumFoo=if(match(Node_Type,"foo"),count,0) 
| eval NumBar=if(match(Node_Type,"bar"),count,0) 
| eval PercentFoo=(NumFoo/(NumFoo+NumBar)) 
| timechart span=15m PercentFoo

As written, Splunk complains that "The specifier 'Offload' is invalid. It must be in form (). For example: max(size)." If I remove the timechart of the search above and instead pipe to | chart max(NumFoo), max(NumBar), max(PercentFoo) by _time I can see values for NumFoo and NumBar so the variables seem to be populated. I don't think using timechart max(PercentFoo) or any other operation on PercentFoo is appropriate - I have a value calculated I just need to display it. Any guidance on how to accomplish this is greatly appreciated.

asked 26 Jan '11, 15:52

beaumaris's gravatar image

beaumaris
24619
accept rate: 50%

edited 05 May '11, 11:38

jlaw's gravatar image

jlaw ♦
20113

Is your summary index created using one of the si- commands (sistats, sitimechart, sichart) or one of the conventional ones? (stats, etc.)? It appears to be the latter, but can you confirm?

(26 Jan '11, 16:32) gkanapathy ♦

The summary index is created using the conventional commands

(26 Jan '11, 18:51) beaumaris
2 Answers:
oldestnewestmost voted
3

It's a little strange to do the bucketing manually and then give it to timechart who'll want to bucket it again. But you could maybe replace the timechart with stats first(PercentFoo) as PercentFoo first(PercentBar) as PercentBar by _time. Since the first bucket will have done the bucketing, timechart and it's second span=15m clause isnt going to do anything anyway that the stats clause wouldnt do.

Or maybe you could not do the initial bucketing but leave the work to timechart. This is the way I would go:

index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType

a nice stacked area chart of that might be all you need, but you could also do this:

index=summary (HostType="foo" OR HostType="bar" ) | timechart count span=15m by HostType | addtotals | eval=fooPercent=foo*100/Total | eval barPercent=bar*100/Total

link

answered 26 Jan '11, 16:37

nick's gravatar image

nick ♦
14.2k1318
accept rate: 47%

Great approach Nick, leaves me with a new question. When I adopt your second search style, I can use the 'fields' command to get a table with 2 columns: _time and fooPercent. However when I do "Show Report" it no longer seems to understand this is a timechart of fooPercent over _time, presumably because this was not in the original timechart command early in the search string. Can you recommend a way to get the graph of fooPercent over _time that we desire?

(26 Jan '11, 18:46) beaumaris
0

I believe you should be able to do:

index=summary | timechart span=15m sum(count) by Node_Type | eval PercentFoo=foo/(foo+bar)

though if your example is too much simplified from your actual use case, there will have to be some adjustments made to make this work.

link

answered 26 Jan '11, 16:36

gkanapathy's gravatar image

gkanapathy ♦
26.2k1622
accept rate: 42%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×192
×128
×123

Asked: 26 Jan '11, 15:52

Seen: 1,167 times

Last updated: 05 May '11, 11:38

Related questions

Timechart with avg from calculated values

timechart calculated grouped value

how does "Other" get calculated in a timechart?

eval streamstats result within timechart can't recognize field

Limiting timechart span to only include values > 0

How do I display value of extracted numeric field in a timechart?

In timechart, how to Search for the values >n ?

How can you restrict timechart to display only weekdays?

Weirdness with timechart, rolling averages, all I really want are the actual values.

Copyright © 2005-2012 Splunk, Inc. All rights reserved.