topic Re: Timecharting the sum() of min()/avg()/max() in Splunk Search

Timecharting the sum() of min()/avg()/max()

jeffa — Fri, 04 May 2012 19:51:52 GMT

I'm sure there is an easy answer for this and I'm going feel silly when I see it. I have a scripted input that pulls volume data for several volumes every 5 minutes. I would like to see the change in used terabytes of the combined volumes over time (each volume has a used_tb key/value pair in the log). For short timeperiods, I can do...

... | timechart span=5m sum(used_tb)

but when once I need to go beyond the last 24 hours, this breaks down. I can do...

... | timechart span=1h min(used_tb) by volume

and then use an area graph in stacked mode to get the idea, but I can't get an accurate measure when I hover over the graph (the pop up is for the individual volumes).

I thought that nesting the functions...

... | timechart span=1h sum(min(used_tb) by volume)

would work, but this produces no values.

What really easy thing am I missing here?

Re: Timecharting the sum() of min()/avg()/max()

ziegfried — Fri, 04 May 2012 20:02:39 GMT

This one should work:

... | bucket _time span=1h | stats min(used_tb) as min_used by volume,_time | timechart span=1h sum(min_used)

Re: Timecharting the sum() of min()/avg()/max()

jeffa — Fri, 04 May 2012 20:11:04 GMT

That search still doesn't produce any charting results. I have played w/ bucketing and eval but no luck.

Re: Timecharting the sum() of min()/avg()/max()

ziegfried — Fri, 04 May 2012 20:12:21 GMT

forgot to add time to the split-by clause of the stats. modified the search in the answer...

Re: Timecharting the sum() of min()/avg()/max()

jeffa — Fri, 04 May 2012 20:23:25 GMT

Brilliant! That did the trick.