https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376487#M45682 <P>I currently have a search query to calculate the maximum, average and median CPU usage of a server over the past 2 hours using NMON data models, which is in real-time.</P> <PRE><CODE>| tstats `CPU_ALL(max)` from datamodel=NMON_Data_CPU where (nodename = CPU.CPU_ALL) (host=myhost) (CPU.frameID="*") (CPU.OStype="*") `No_Filter(CPU)` groupby _time, host prestats=true span=1m | stats dedup_splitvals=t max("CPU.cpu_PCT") AS CPU.cpu_PCT by _time, host | fields * | sort +str(host) | stats max("CPU.cpu_PCT") AS max, avg("CPU.cpu_PCT") AS avg, median("CPU.cpu_PCT") AS median by host | eval max=round(max,2) | eval avg=round(avg,2) | rename max as "Max (%)", avg as "Avg (%)", median as "Min (%)" </CODE></PRE> <P>I would like to plot a timechart showing the values within the last 2 hours, where the values are the avg, max, median CPU usage within the past 2 hours relative to the timestamp.</P> <P>i.e. </P> <P>Assuming current time is 07:00, I would like my timechart to show the following values as a line chart:</P> <P>avg, max, median CPU usage at 05:00 --&gt; showing avg, max, median of CPU usage from 03:00 - 05:00<BR /> avg, max, median CPU usage at 05:01 --&gt; showing avg, max, median of CPU usage from 03:01 - 05:01<BR /> avg, max, median CPU usage at 05:02 --&gt; showing avg, max, median of CPU usage from 03:02 - 05:02<BR /> :<BR /> :<BR /> avg, max, median CPU usage at 06:59 --&gt; showing avg, max, median of CPU usage from 04:59 - 06:59<BR /> avg, max, median CPU usage at 07:00 --&gt; showing avg, max, median of CPU usage from 05:00 - 07:00</P> <P>Are there ways to do that? Thanks in advance.</P> Fri, 08 Feb 2019 03:48:19 GMT hactl2019 2019-02-08T03:48:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376487#M45682 <P>I currently have a search query to calculate the maximum, average and median CPU usage of a server over the past 2 hours using NMON data models, which is in real-time.</P> <PRE><CODE>| tstats `CPU_ALL(max)` from datamodel=NMON_Data_CPU where (nodename = CPU.CPU_ALL) (host=myhost) (CPU.frameID="*") (CPU.OStype="*") `No_Filter(CPU)` groupby _time, host prestats=true span=1m | stats dedup_splitvals=t max("CPU.cpu_PCT") AS CPU.cpu_PCT by _time, host | fields * | sort +str(host) | stats max("CPU.cpu_PCT") AS max, avg("CPU.cpu_PCT") AS avg, median("CPU.cpu_PCT") AS median by host | eval max=round(max,2) | eval avg=round(avg,2) | rename max as "Max (%)", avg as "Avg (%)", median as "Min (%)" </CODE></PRE> <P>I would like to plot a timechart showing the values within the last 2 hours, where the values are the avg, max, median CPU usage within the past 2 hours relative to the timestamp.</P> <P>i.e. </P> <P>Assuming current time is 07:00, I would like my timechart to show the following values as a line chart:</P> <P>avg, max, median CPU usage at 05:00 --&gt; showing avg, max, median of CPU usage from 03:00 - 05:00<BR /> avg, max, median CPU usage at 05:01 --&gt; showing avg, max, median of CPU usage from 03:01 - 05:01<BR /> avg, max, median CPU usage at 05:02 --&gt; showing avg, max, median of CPU usage from 03:02 - 05:02<BR /> :<BR /> :<BR /> avg, max, median CPU usage at 06:59 --&gt; showing avg, max, median of CPU usage from 04:59 - 06:59<BR /> avg, max, median CPU usage at 07:00 --&gt; showing avg, max, median of CPU usage from 05:00 - 07:00</P> <P>Are there ways to do that? Thanks in advance.</P> Fri, 08 Feb 2019 03:48:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376487#M45682 hactl2019 2019-02-08T03:48:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376488#M45683 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163351">@hactl2019</a></P> <P>why you are not using timechart?</P> <P>like <BR /> | timechart span=1min max("CPU.cpu_PCT") AS max, avg("CPU.cpu_PCT") AS avg, median("CPU.cpu_PCT") AS median by host </P> Tue, 29 Sep 2020 23:11:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376488#M45683 vishaltaneja070 2020-09-29T23:11:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376489#M45684 <P>That will give me the max, avg and median for that minute only. I found a workaround for the problem usig eval calculating the offset. Thanks anyways.</P> Fri, 08 Feb 2019 06:50:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376489#M45684 hactl2019 2019-02-08T06:50:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376490#M45685 <P>Hello, I'm having the exact same issue, but i want to have a 10-minute window. I am struggling to do it, can you share your solution?</P> Thu, 06 Feb 2020 10:16:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Relative-time-search-and-plotting-in-a-timechart/m-p/376490#M45685 pandamasque 2020-02-06T10:16:03Z