topic Re: Timechart show split value (by) and non-split value in Dashboards & Visualizations

Timechart show split value (by) and non-split value

tomporterfield — Tue, 14 Jan 2025 18:30:02 GMT

I have a timechart that shows a calculated value split by hostname, Ex:

[[search]] | | eval overhead=(totaltime - routingtime) | timechart span=1s eval(round(avg(overhead),1)) by hostname

What I am trying to do is also show the calculated overhead value not split by hostname:

[[search]] | | eval overhead=(totaltime - routingtime) | timechart span=1s eval(round(avg(overhead),1))

How do I show the split out overhead values and the combined overhead value in the same timechart?

Re: Timechart show split value (by) and non-split value

ITWhisperer — Tue, 14 Jan 2025 19:00:15 GMT

Please provide some anonymised sample events, a description in non-SPL terms of how the events are to be processed and how they relate to an expected output.

Re: Timechart show split value (by) and non-split value

isoutamo — Tue, 14 Jan 2025 19:01:51 GMT

Have you look addtotals? https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Addtotals

Re: Timechart show split value (by) and non-split value

tomporterfield — Tue, 14 Jan 2025 19:22:17 GMT

The goal is to calculate an overhead value over a span of 1 second. Overhead is calcuated as being the difference between totaltime and routingtime. Then for each host as identified by hostname, create a line chart that shows the overhead for each host, and include another line on the chart that shows the average overhead across all hosts.

Here are a few anonymized sample records:

{"severity":"Audit","hostname":"ahost02","received":"2025-01-14T19:12:44.623Z","protocol":"http","routingtime":189,"totaltime":234}
{"severity":"Audit","hostname":"ahost01","received":"2025-01-14T19:12:44.650Z","protocol":"https","routingtime":27,"totaltime":78}
{"severity":"Audit","hostname":"ahost01","received":"2025-01-14T19:12:44.634Z","protocol":"http","routingtime":36,"totaltime":74}
{"severity":"Audit","hostname":"ahost02","received":"2025-01-14T19:12:44.427Z","protocol":"http","routingtime":205,"totaltime":220}

Re: Timechart show split value (by) and non-split value

tomporterfield — Tue, 14 Jan 2025 19:24:23 GMT

Yes and I don't think that's what I want. That seems to sum the split values, I want the non-split (effectively average) value. If there were a similar avgtotals that would probably be what I'm looking for.

Re: Timechart show split value (by) and non-split value

PickleRick — Wed, 15 Jan 2025 13:03:17 GMT

You can't do it directly since when you so timechart by a field, it will get split. So you have to improvise.

EDIT: Missed the fact that was avg(), not sum(). Of course summing averages is not the way to go so @ITWhisperer 's solution is the one to go for.

The obvious solution already provided is timechart | addtotals. You could also try to manually bin _time and stats but it boils down to the same thing.

Several caveats:

1) Careful with rounding.

2) Do fillnull if you can expect the by-field to be empty sometimes. Otherwise your total will be wrong.

3) Either limit=0 or useother=t - without it you'll lose data for the sum.

Re: Timechart show split value (by) and non-split value

ITWhisperer — Wed, 15 Jan 2025 08:51:40 GMT

Re: Timechart show split value (by) and non-split value

tomporterfield — Wed, 15 Jan 2025 12:55:02 GMT

👏Yes, this is the way. Thanks @ITWhisperer this is exactly what I was looking for.