topic Timechart with multiple fields in Splunk Search

Timechart with multiple fields

imthesplunker — Thu, 20 Apr 2017 15:51:35 GMT

Hi , I need to add one more field "row_num" in the same timechart

Search query is
index=abc | timechart span=1hr avg(response_time) by host

row_num contains 30 ,40,25,15,.....

Thanks.

Re: Timechart with multiple fields

DalJeanis — Thu, 20 Apr 2017 16:04:04 GMT

What information is the row_num field supposed to convey?

Are you wanting the average of the row_num for each host in each hour, or the max, or what?

Re: Timechart with multiple fields

sowings — Thu, 20 Apr 2017 16:09:25 GMT

Might need "chart OVER BY" instead of timechart? Or a fancy stats call. More information about what exactly you're looking for would be helpful.

Re: Timechart with multiple fields

somesoni2 — Thu, 20 Apr 2017 16:21:39 GMT

You want to include avg(row_num) and it should be calculated for each host? IF yes, the this should work.

index=abc | timechart span=1hr avg(response_time) avg_response_time avg(row_num) avg_row_num by host

Update

Does this give you what you want?

index=abc | eval host=host.":".row_num| timechart span=1hr avg(response_time) avg_response_time by host

Re: Timechart with multiple fields

woodcock — Thu, 20 Apr 2017 17:13:23 GMT

If you are going to use the visualization tab, you need to make sure that all of your "things" have a single numerical value. You can gather as many "things" as you like just by adding them in a string like this:

THIS IS UNCHARTABLE:

index=abc | timechart span=1h avg(response_time) values(row_num) BY host

THIS IS CHARTABLE:

index=abc | timechart span=1h avg(response_time) max(row_num) BY host

Re: Timechart with multiple fields

imthesplunker — Tue, 29 Sep 2020 13:45:45 GMT

Thankyou all for the responses .Somesoni2 and woodcock , i am getting the timechart for both response_time and row_num but not as expected .
I am looking for is

when i hover into the chart , it gives

1)date and time
2)avg(response_time) with values .

can max(row_num) also included along with the other two when i hover ?

Re: Timechart with multiple fields

woodcock — Thu, 20 Apr 2017 18:22:03 GMT

With my answer (the "chartable" one), you will get TWO lines for each host: 1 line for the avg(response_time) and another for max(row_num). There is no way to stuff 2 separate values into a single line (see the "unchartable" commentary in my answer).