Splunk® Metrics Workspace (Legacy)

Using the Splunk Metrics Workspace

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SMW. Click here for the latest version.
Acrobat logo Download topic as PDF

Analytics in the Splunk Metrics Workspace

Configure analytic functions and operations in the Analysis panel. These options help you gain insight from your charts. All analytic functions generate SPL in the background.

For more information about charts, see Charts in the Metrics Workspace.

Aggregations

Charts in the Metrics Workspace contain time series based on aggregated data. To calculate aggregations, data points within the same approximate time frame are categorized into buckets. Aggregations are calculated from data points in the same bucket. The bucket size, or span, is automatically configured based on your specified time range. Increasing the time range causes the span to increase automatically.

Select one or more aggregations in the Analysis panel to generate a time series on the chart. The following aggregations are available:

Aggregation Use Description
Average (Avg) Numeric data Average value from each bucket of data. Default aggregation for numeric data.
Maximum (Max) Numeric data Maximum value from each bucket of data.
Minimum (Min) Numeric data Minimum value from each bucket of data.
Standard deviation (Std dev) Numeric data Standard deviation for each bucket of data.
Sum Numeric data Sum of values from each bucket of data.
Percentiles Numeric data Percentile values from each bucket of data. View a maximum of five percentiles. Default percentiles are 90, 75, 50, 25, and 15. To remove a percentile, click the X icon next to the percentile you want to remove. To configure additional percentiles, enter a number between 1 and 100 in the box under the percentiles option.
Count String data Number of values in a dataset field within each bucket of data. Default aggregation for string data.
Distinct count (Dist count) String data Number of distinct values in a dataset field within each bucket of data.

Configure chart aggregations

Configure aggregations to select which facet of your data to view on a chart.

  1. In the main panel, select the chart you want to modify.
  2. In the Analysis panel, select the aggregations to apply.

Examples

The following chart shows the Average, Maximum, and Minimum aggregations of system.cpu values for collectd_metrics.

This screen image shows a chart of the Average, Maximum, and Minimum aggregations of system.cpu values for collectd metrics.


The following chart shows the 25th, 50th, and 75th Percentile aggregations of system.cpu values for collectd_metrics.

This screen image shows a chart of the 25th, 50th, and 75th Percentile aggregations of system.cpu values for collectd metrics.

Time comparisons

Time comparisons overlay a previous time period on a chart to investigate whether a time series has changed significantly between two related time ranges.

Time comparisons are not available for datasets or when splitting charts by dimension.

Add a time comparison to a chart

Add a time comparison to a chart to investigate changes in your data over time.

  1. From the main panel of the Metrics Workspace, select a chart to add the time overlay to.
  2. In the Analysis panel of the Metrics Workspace, click the Compare to list under Time Comparison.
  3. Select from the list of preset time overlays, or select custom.
  4. (Optional) If you selected custom, enter the time comparison you want to use.

Time comparisons appear as dotted lines on the chart.

Remove a time comparison from a chart

Remove a time comparison from a chart to show data from only the current time range.

  1. In the Analysis panel of the Metrics Workspace, click the Compare to list.
  2. Select None.

Examples

The following chart compares current average system.cpu values to the values from 24 hours before.

This screen image shows a chart comparing current average system.cpu values to the values from 24 hours ago.

Splitting and stacking

Split a chart by a dimension to view a separate time series for each dimension value. Splitting a chart by a dimension shows the values with the highest or lowest data points in the selected time range.

The highest and lowest dimension values are calculated based on the overall highest and lowest data points. Therefore, it is possible for a single dimension value to appear in both the highest and lowest categories. For example, imagine you have two charts in the workspace. The first chart shows CPU utilization split by the top five highest apps, and the second chart shows CPU utilization split by the top five lowest apps. If the data for a particular app contains a high level of variation and has both high and low CPU utilization levels, this app could appear on both charts.

Stack the series to show the sum of dimension values on the chart. In a stacked series, each series appears as a colored area of the stacked chart.

Splitting by dimension is not supported for charts with multiple aggregations or time comparisons.

Split a chart by dimension

Split a chart by a dimension to show a separate time series for each dimension value.

  1. Select the workspace chart you want to split by dimension.
  2. In the Analysis panel, click the Split by list.
  3. Select the dimension that you want to split.
  4. From the Display drop-down menu, select either the Highest or Lowest spikes in data.
  5. Select the number of values to display.
  6. (Optional) Click the Stack Series checkbox to show the sum of dimension values stacked on the chart.

The chart shows a new time series for each value of the split dimension.

Remove a dimension split

Remove a dimension split to view data for all dimensions in a single time series.

  1. In the Analysis panel of the Metrics Workspace, click the Split by list.
  2. Select None.

Split multiple charts in the workspace

Split multiple charts by the same dimension to compare the time series for the top five dimension values across your workspace.

If every chart in your workspace contains the same set of dimensions, then splitting multiple charts applies the split across all charts in your workspace. If the charts in your workspace contain different dimensions, then splitting multiple charts applies the split across all of the charts that contain your specified dimension.

Split multiple charts by the same dimension to visualize a single dimension across the workspace.

  1. In the global actions bar of the Metrics Workspace, click the Split all by or Split by drop-down list.

    If all charts in your workspace contain the same dimensions, then the drop-down list is called Split all by. If the charts in your workspace contain different dimensions, then the drop-down list is called Split by.

  2. Select a dimension from the list.

All charts in the workspace that contain your specified dimension apply the split. If a chart does not apply the split, it is because that dimension is not present in your data.

Splitting multiple charts only applies the split once. If you split by a different dimension for one or more charts in the workspace, this overrides the batch split.

Remove a dimension split from multiple charts in the workspace

Remove dimension splitting from multiple charts to show data for all charts in a single time series.

  1. In the global actions bar of the Metrics Workspace, click the Split all by or Split by drop-down list.

    If all charts in your workspace contain the same dimensions, then the drop-down list is called Split all by. If the charts in your workspace contain different dimensions, then the drop-down list is called Split by.

  2. Select Remove all splits.

Examples

The following chart shows the apache.response_time metric split by the top five pages.

This screen image shows a chart of the apache.response_time metric split by the top five pages.


The following chart shows the apache.active_connections metric split by the top three extracted hosts. The series is stacked to show the total number of active connections.

This screen image shows a chart of the apache.active_connections metric split by the top three extracted hosts. The series is stacked to show summed totals.

Filters

Filter data to view specific dimension values on the chart. If a chart is already split by a dimension, use filters to add or remove time series for selected dimension values.

Use wildcards from within the Filter panel to filter for a dimension with a high number of values. For information about using wildcards in the Splunk platform, see Wildcards in the Search Manual.

Filter by dimension value from the Analysis panel

Filter chart data to view a specific subset of dimension values.

  1. From the main panel of the Metrics Workspace, select the chart you want to filter by dimension value.
  2. In the Analysis panel, under Filters, click the name of the dimension you want to filter.
  3. Select whether to Include or Exclude the specified dimension values.
  4. From the list of dimension value names, select the dimension values you want to filter on the chart.

    If the list contains more than twelve dimension values, a search bar appears. Type part or all of the dimension value name into the search bar to refine the list. Wildcards are supported.

The chart shows data for the dimension values that you selected.

Filter by dimension value from the chart legend

If a chart is already split by a dimension, filter by dimension value using the legend to the right of the chart.

Prerequisites
Split the chart by a dimension. See Splitting and stacking.

Steps

  1. From the main panel of the Metrics Workspace, select the chart you want to filter by dimension value.
  2. In the chart legend, click the name of the dimension value that you want to filter.
  3. From the options that appear, click either Keep Only or Exclude.

The chart shows data for the dimension values that you selected.

Remove dimension value filters

Remove dimension value filters to view data from all values of a dimension on the chart.

  1. From the main panel of the Metrics Workspace, select the chart you want to clear filters for.
  2. In the Analysis panel under Filters, click the name of the dimension you want to clear filters for.
  3. In the top-right corner of the list of dimension values, click the This screen image shows the X icon. icon.

The chart shows data for all values of that dimension.

Examples

The following chart shows the average, maximum, and minimum aggregations for the aws.ec2.CPUUtilization metric filtered by IP address.

This screen image shows a chart of the aws.ec2.CPUUtilization metric filtered by IP address.


The following chart shows the system.memory.usage metric split by the App dimension and filtered to show time series for the cart, catalog, and checkout dimension values.

This screen image shows a chart of the system.memory.usage metric split by App and filtered to show time series for the cart, catalog, and checkout dimension values.
Last modified on 15 April, 2019
PREVIOUS
Time range in the Splunk Metrics Workspace
  NEXT
Alerts in the Splunk Metrics Workspace

This documentation applies to the following versions of Splunk® Metrics Workspace (Legacy): 1.0.0, 1.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters