https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361458#M106759 <P>You can always UpVote, too.</P> Mon, 07 Aug 2017 22:44:32 GMT woodcock 2017-08-07T22:44:32Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361450#M106751 <P>Hi, <BR /> Thanks up front your time<BR /> I have duration field generated from some <CODE>transaction</CODE> command and I would love to draw a chart that presenting <CODE>avg()</CODE>- one value within same time bucket and <CODE>values()</CODE> - values that average is calculated. My search is :</P> <PRE><CODE>&lt;some search&gt; | where duration &gt; 10 | bin _time span=1d| stats avg(duration) as avgDurs values(duration) as valDurs by _time,session_name | </CODE></PRE> <P>it is resulting following data set: (valDur has multiple values)<BR /> _time| session_name | avgDurs | valDurs<BR /> 2017-04-26|s1|22.500000|12 33<BR /> 2017-04-27|s2|16.500000|11 14 30</P> <P>My question is how can i chart this table with<BR /> single avgDurs line (it appears on all charts, issue is on multiple fields)<BR /> and multiple values for valDurs on same chart<BR /> <STRONG>within same time frame</STRONG></P> <P>I tried couple other examples (xyseries) i found on answers and documentation. Here are my trials incase if i am missing something:</P> <PRE><CODE>| bin _time span=1d| stats avg(duration) as avgDur values(duration) as valDur by session_name,_time | eval s1="AvgDurs ValDurs" |makemv s1 | mvexpand s1| eval yval=case(s1=="AvgDurs",avgDur, "ValDurs",valDur)| eval series=session_name+":"+s1 | xyseries _time, series, yval </CODE></PRE> <P>please note that first stats without session name is closest to what is desired. it only display valDurs if there is only one value<BR /> Thanks again</P> Tue, 29 Sep 2020 13:56:00 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361450#M106751 akocak 2020-09-29T13:56:00Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361451#M106752 <P>If you wish to have a separate line for each value of duration, you may end up with bunch of lines (duration is a number and it can have any possible integer value). Any specific benefit that you see with showing all those duration values?</P> <P>Also, see if something like this would work </P> <P>Give this a try</P> <PRE><CODE>&lt;some search&gt; | where duration &gt; 10 | bin _time span=1d | eval series=strftime(_time,"%m/%d/%Y")."##".session_name."##".avgDurs | stats avg(duration) as avgDurs by series </CODE></PRE> Wed, 03 May 2017 18:25:03 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361451#M106752 somesoni2 2017-05-03T18:25:03Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361452#M106753 <P>You cannot chart both (after all, what would the chart of the multi-valued field even look like; what would the units of the Y-Axis be?). But you can make 2 charts from one search by using your search as a base search:</P> <PRE><CODE>&lt;some search&gt; | where duration &gt; 10 | bin _time span=1d | stats avg(duration) as avgDurs values(duration) as valDurs BY _time session_name </CODE></PRE> <P>Then, in the panel that needs to have the chart, extend the base with a reference plus this:</P> <PRE><CODE>| timechart span=1d first(avgDurs) AS avgDurs </CODE></PRE> Wed, 03 May 2017 19:44:31 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361452#M106753 woodcock 2017-05-03T19:44:31Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361453#M106754 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a> , thanks for the quick response, I think i need to make it more clear, if this is a line timechart, <BR /> within the same time window, I see avg as it is one value for each time window, however, duration values, they could be in same color (legend) too, just want to draw each. <BR /> I checked your suggestion also, it didn't bring desired output, check this one, <BR /> |bin _time span=1d | eventstats avg(duration) as DailyAverage values(duration) as DurValues by _time, session_name<BR /> |convert ctime(_time)| chart values(DurValues) values(DailyAverage) over session_name by _time useother=false</P> <P>output of this wrong as well, however closer, just need need to show each value , I am wondering if we can change _time span to 1h let's say and find a way in Timechart to show it daily still? </P> Tue, 29 Sep 2020 13:56:20 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361453#M106754 akocak 2020-09-29T13:56:20Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361454#M106755 <P>Give this a try then</P> <PRE><CODE>&lt;some search&gt; | where duration &gt; 10 | bin _time span=1d| stats avg(duration) as avgDurs values(duration) as valDurs by _time,session_name | mvexpand valDurs </CODE></PRE> Wed, 03 May 2017 20:16:31 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361454#M106755 somesoni2 2017-05-03T20:16:31Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361455#M106756 <P>This works <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks man, I knew it is one command away <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span> mvexpand. </P> <P>thanks again, wish you a great day. I am not sure if i can validate it as correct answer here. </P> Wed, 03 May 2017 20:23:13 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361455#M106756 akocak 2017-05-03T20:23:13Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361456#M106757 <P>Here you go.</P> Wed, 03 May 2017 20:27:34 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361456#M106757 somesoni2 2017-05-03T20:27:34Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361457#M106758 <P>@woodcock , thanks for the answer, your answer is valid as well,however I didn't want to deal with flash charts in dashboard. Thanks for your time.</P> Wed, 03 May 2017 20:40:39 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361457#M106758 akocak 2017-05-03T20:40:39Z https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361458#M106759 <P>You can always UpVote, too.</P> Mon, 07 Aug 2017 22:44:32 GMT https://community.splunk.com/t5/Splunk-Search/Chart-one-value-field-and-multiple-value-field-within-same-time/m-p/361458#M106759 woodcock 2017-08-07T22:44:32Z