topic Re: How to lump data into two groups by a field for a trendline? in Splunk Search

How to lump data into two groups by a field for a trendline?

splunk_question — Wed, 23 May 2018 12:56:18 GMT

So I have some data which looks similar to this:

time="timevalue", name="name", measurement="value"

And I have 7 different values for name (i.e., name1, name2, etc.)
How can I group the data together so that, on the same trendline (graphing averages), it has the groups

{name1, name2}
{name3, name4, name5, name6, name7}

And performs my calculations on those.
The search right now returns an average of all events:

base search
| timechart span=12h values(measurement) as Measurement
| streamstats window=180 AVG
| table _time AVG*

Re: How to lump data into two groups by a field for a trendline?

adonio — Wed, 23 May 2018 13:08:19 GMT

do you mean this:
base search
| timechart span=12h values(measurement) as Measurement by name
| streamstats window=180 AVG
| table _time AVG*

Re: How to lump data into two groups by a field for a trendline?

splunk_question — Wed, 23 May 2018 13:21:33 GMT

Yes, but instead of taking the averages by each individual name, I'd like to take the averages of (name1, name2) and (names 3-7) separately, while displaying them on the same chart.

Re: How to lump data into two groups by a field for a trendline?

adonio — Wed, 23 May 2018 13:53:27 GMT

try this search anywhere:

i used numeric values for measurement field and grouped with eval by names
your timechart(values) might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction

| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m 
| eval _time = starttime 
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement

the above generates fake data below is solution

| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups

hope it helps

Re: How to lump data into two groups by a field for a trendline?

splunk_question — Wed, 23 May 2018 14:09:50 GMT

Perfect. I've been working on it and did much the same thing. I'm rather new to Splunk and didn't know how Boolean operations were parsed, and I was trying to ram through

if(name=a OR b, " ", " ")

rather than

if(name=a OR name=b, ...)

Since the names are numeric, I was able to do

if(name<=name, ...)

But thanks for letting me know about that!

Re: How to lump data into two groups by a field for a trendline?

adonio — Wed, 23 May 2018 14:17:45 GMT

you bet! glad it helped 🙂