topic Re: How to create a timechart with multiple values? in Splunk Search

How to create a timechart with multiple values?

ppatrikfr — Tue, 15 May 2018 16:46:40 GMT

Hello!
I'm trying to make a timechart like this one below, but I have some hosts that I need to show their medium cpu usage per hour (0am - 11 pm. I'm getting one-month data and trying to show their average per hour, but I only can put the average of all hosts, but I need the average for each one.

My search until now:

earliest=04/01/2018:00:00:00 latest=04/30/2018:23:59:00 index="summary" instance="cpu.usage.average" source=Summary_VMhost 
| rename media as Value 
| table * 
| where VMhost="" OR like(VMhost,"hostname00020.somecorp.net") OR like(VMhost,"hostname00021.somecorp.net") OR like(VMhost,"hostname052073.somecorp.net") OR like(VMhost,"hostname052074.somecorp.net") OR like(VMhost,"hostname052075.somecorp.net") OR like(VMhost,"hostname052076.somecorp.net") OR like(VMhost,"hostname631.somecorp.net") OR like(VMhost,"hostname632.somecorp.net") OR like(VMhost,"hostname641.somecorp.net") OR like(VMhost,"hostname642.somecorp.net") 
| eval date_hour=strftime(_time,"%H") 
| eval Horario_critico=if((date_hour>=7 AND date_hour<11) OR (date_hour>=13 AND date_hour<17),100,null) 
| stats avg(Value) max(Horario_critico) by date_hour

Re: How to create a timechart with multiple values?

niketn — Tue, 15 May 2018 17:35:32 GMT

Instead of stats use chart to have date_hour on x-axis and split by VMhost

 <YourCurrentSearch>
| chart avg(Value) by date_hour VMhost

Re: How to create a timechart with multiple values?

ppatrikfr — Wed, 16 May 2018 10:12:22 GMT

I didn't know that diference about both(stats and chart), thanks it works perfectly!!!

Re: How to create a timechart with multiple values?

niketn — Wed, 16 May 2018 11:22:59 GMT

@ppatrikfr glad it worked, I have converted my comment to answer. Please accept to mark this question as answered!