https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369692#M108922 <P>I currently have a timechart running every minute each day to show a given field value as it increases through the day. The data is being displayed as an area chart. If possible, I'd like the add an overlay to the chart that will show the "average" value each minute over a larger time period (yesterday, or last week for instance). I already have the "historical" timechart data being saved to a summary index, I'm just wondering what the best way would be to incorporate it.</P> <P>Right now, the search is relatively simple:<BR /> "my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | timechart span=1m count</P> <P>And I am running this same search, without the earliest and latest filters and writing the results to summary index. So it is just a matter of taking today's count by minute and comparing to the summary index count by minute so get a baseline of today vs prior days to make it easier to see if it is "normal" or not.</P> Tue, 15 Aug 2017 12:08:16 GMT bcarr12 2017-08-15T12:08:16Z https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369692#M108922 <P>I currently have a timechart running every minute each day to show a given field value as it increases through the day. The data is being displayed as an area chart. If possible, I'd like the add an overlay to the chart that will show the "average" value each minute over a larger time period (yesterday, or last week for instance). I already have the "historical" timechart data being saved to a summary index, I'm just wondering what the best way would be to incorporate it.</P> <P>Right now, the search is relatively simple:<BR /> "my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | timechart span=1m count</P> <P>And I am running this same search, without the earliest and latest filters and writing the results to summary index. So it is just a matter of taking today's count by minute and comparing to the summary index count by minute so get a baseline of today vs prior days to make it easier to see if it is "normal" or not.</P> Tue, 15 Aug 2017 12:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369692#M108922 bcarr12 2017-08-15T12:08:16Z https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369693#M108923 <P>I'd probably approach this like so...</P> <P>Once a day, between 12p and 6a, run an extract from the summary index to a csv, with each projected minute <STRONG>of the new day</STRONG> calculated. I would probably do three numbers - bottom edge, average, top edge - and decide the edges based on 2-3 standard deviations. For simplicity of the actual presentation, I would put each number on its own individual event record with three fields, _time, series and eventcount. Since there are only 720 minutes in your 12 hour period, this would only be 2160 records, so it's fairly small.</P> <P>Then your presentation is this...</P> <PRE><CODE>"my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | bin _time span=1m | stats count as eventcount by _time | eval series="today" | append [|inputcsv mydailycsv.csv | table _time series eventcount] | timechart span=1m sum(eventcount) as count by series </CODE></PRE> Tue, 15 Aug 2017 13:39:02 GMT https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369693#M108923 DalJeanis 2017-08-15T13:39:02Z https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369694#M108924 <P>Thank you for your advice! Let me give this a shot and see how close it gets me to what I am looking for.</P> Wed, 16 Aug 2017 17:27:06 GMT https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369694#M108924 bcarr12 2017-08-16T17:27:06Z https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369695#M108925 <P>may be you can try with timewrap command</P> <P>for e.g.,</P> <P>... ... | timechart count span=1d | timewrap 1week</P> Wed, 16 Aug 2017 17:59:47 GMT https://community.splunk.com/t5/Splunk-Search/Compare-Minute-by-Minute-Timechart-quot-Today-quot-vs-Summary/m-p/369695#M108925 sbbadri 2017-08-16T17:59:47Z