topic Re: timechart issiue in Splunk Search

timechart issiue

Mohsin123 — Wed, 14 Nov 2018 11:43:39 GMT

Hi ,

i have 3 fields host , swapfree, memoryfree in my index
i want to display count like this :

timechart span=1h count(swapfree) as swapfree , count(memoryfree) as memoryfree by host

problem is : i am passing swapfree and memory free as token and host also as token
can anyone help me in this :

in my timechart : x-axis: time , y-axis : bytes in swapfree , memoryfree for the host selected

Re: timechart issiue

FrankVl — Wed, 14 Nov 2018 12:25:51 GMT

What exactly is and isn't working with your current approach?

Also: if you want to chart the actual bytes, you shouldn't be using count() as the aggregation function in the timechart command. You probably want to use avg(), min() or max() or earliest() or latest() depending on what exactly you want to display.

Re: timechart issiue

Mohsin123 — Tue, 29 Sep 2020 21:59:03 GMT

used tokens :

index=idix_infra_prod $swap$ $host$ source=Apigssor
| table _time host $swap$
| fields - OR
| timechart span=$span$ count by $swap$

translates to :

index=iod MemoryBuffers MemoryUsedPercent MemoryTotal (host="vgapx5vr") source=Apigor
| table _time host MemoryBuffers MemoryUsedPercent MemoryTotal
| fields - OR
| timechart span=1h count by MemoryBuffers MemoryUsedPercent MemoryTotal

Re: timechart issiue

Mohsin123 — Wed, 14 Nov 2018 12:41:43 GMT

if i try to do an average , this is the problem, token issue

index=idxrod $swap$ $host$ source=Apicessor
| table _time host $swap$
| fields - OR
| timechart span=$span$ avg($swap$)

index=idrod MemoryBuffers MemoryUsedPercent MemoryTotal (host="vgapx5vr") source=Apor
| table _time host MemoryBuffers MemoryUsedPercent MemoryTotal
| fields - OR
| timechart span=1h avg(MemoryBuffers MemoryUsedPercent MemoryTotal)

Re: timechart issiue

Mohsin123 — Wed, 14 Nov 2018 12:43:05 GMT

when i am using one token , its working
but multiple tokens wen i am selecting using multiselct , its not working

Re: timechart issiue

FrankVl — Wed, 14 Nov 2018 12:50:33 GMT

Sounds like you may need to rethink your token approach a bit, because avg(field1 field2 field3) of course will not work. Not an expert on tokens, but you can perhaps do some pre-processing on that token before passing it to the search, such that you can provide a specific token for the timechart command that actually takes the avg() of each of the fields rather than avg over a string containing multiple fieldnames.