8/7/2023 0 Comments Splunk stats vs eventstats![]() ![]() ![]() We create fields to store the specific Date, Day, and Hour for our values as well as filter out only the information for the specific day we are looking to compare. The first four lines are setting up our data. Let’s break this search down and explain what is going on here. | eval FieldName = CASE(FieldName = “LatestDay”, “Latest Thursday”,1=1,”Thursday (”. ![]() | rename TotalSales _s0 as LatestDay, TotalSales _s1 as WeeksBack1, TotalSales _s2 as WeeksBack2, TotalSales _s3 as WeeksBack3, TotalSales _s4 as WeeksBack4 | timechart span=1h count(TotalSales) as TotalSales | fields _time, “TotalSales”, Hour, Day, Date Each of our events has a TotalSales field that we are using as our value to chart. This is the search that was used for the panel shown above. This is just how far back we went for the purpose of this article.) (Note that you could go back as far as your data lets you go. The chart shows each Thursday across the past four weeks, overlayed on top of each other. In the end, our Day Over Week Comparison chart will look like this. ![]() To achieve this, we’ll use the timewrap command, along with the xyseries/untable commands, to help set up the proper labeling for our charts for ease of interpretation. We’ll explore both situations in this article, including some sample SPL to help you get where you need to get with your own data. Additionally, it can be difficult to clearly display the appropriate context and intent of the visualizations, so it is imperative to clearly delineate what the data points represent on the charts themselves. Splunk has some very handy, albeit underrated, commands that can greatly assist with these types of analyses and visualizations. yesterday, but you’re curious if it is spiking up at that same hour every Thursday or if the peaks are happening at different times and how big those discrepancies are. You notice that sales seemed to spike up at 8 p.m. The first installment will focus on the day-over-week visualization that allows the user to quickly visualize the last four Thursdays (or any other day of the week) overlayed on top of each other to quickly determine any discrepancies between them.įor example, let’s say you’re monitoring sales throughout the day. this past Thursday versus the last three Thursdays) and hour over week (this past Thursday at 1 p.m. In this 4-part series, I will be outlining some interesting ways to help visualize data points across specific points in time, namely day over week (i.e. Often, it is most useful to compare data across specific points in time. Sometimes, data can’t just be visualized sequentially. If you’re lost, you can look and you will find it: Time OVER time. Use stats to get the per-exception counts then use eventstats to calculate the total count.Slice And Dice: Comparing Values Over Specific Times In a situation like this, as you suspected, you need a combination of stats and eventstats. If you have two consecutive stats commands then the second is counting the results from the first rather than the original events. The stats commands transforms the results - what's passed on to the next command is just the fields mentioned in stats. I have been reading the Splunk docs on stats and eventstats and so far not come up with an answer on my own. | table date exceptionCount dailyEventCountĮither of the two stats commands above works independently and populates the respective columns of the final table, but the two together fail, and give me any empty table with no data. | eval exceptionPct=round(exceptionCount/dailyEventCount*100,2) | stats count as exceptionCount by date exception Like(exception, "Disconnected from node%"), Like(exception, "%has passed since batch creation"), Like(exception,"%which is larger than%"), | eval exception=case( isnull(exception), I can get either count fairly easily but I am struggling to get both counts so that I can calculate the required percentage. My mandate is to calculate the percent of one class of exceptions as a function of all events. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |