https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51948#M12617 <P>I am plotting reponse time data using the following search</P> <P>sourcetype="jboss" TOTAL SEARCH TIME CAREWEB AND NOT PMR | eval rp=EASYDOC_JBOSS_TIME/1000 | timechart span="1h" avg(rp)</P> <P>Is is possible to plot 2 week moving average as a base line with this chart </P> Mon, 28 Sep 2020 11:49:23 GMT kunadkat 2020-09-28T11:49:23Z https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51948#M12617 <P>I am plotting reponse time data using the following search</P> <P>sourcetype="jboss" TOTAL SEARCH TIME CAREWEB AND NOT PMR | eval rp=EASYDOC_JBOSS_TIME/1000 | timechart span="1h" avg(rp)</P> <P>Is is possible to plot 2 week moving average as a base line with this chart </P> Mon, 28 Sep 2020 11:49:23 GMT https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51948#M12617 kunadkat 2020-09-28T11:49:23Z https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51949#M12618 <PRE><CODE>sourcetype="jboss" TOTAL SEARCH TIME CAREWEB AND NOT PMR earliest=-24h@h latest=@h | eval rp=EASYDOC_JBOSS_TIME/1000 | bucket _time span=1h | stats avg(rp) as avgRP by _time | eval series = "average RP" | append [ search sourcetype="jboss" TOTAL SEARCH TIME CAREWEB AND NOT PMR earliest=-29d latest=@h | eval rp=EASYDOC_JBOSS_TIME/1000 | timechart count span=1h | streamstats window=168 avg(rp) as avgRP | eval series = "moving avg RP" | fields _time, avgRP, series ] | where _time &gt; relative_time(now(),"-24h@h") | timechart span=1h max(avgRP) as "Average RP" by series </CODE></PRE> <P>There are some dates in this search that you probably need to adjust:</P> <UL> <LI><CODE>window=168</CODE> because 2 weeks = 7*24 hours = 168 hours, so thats what streamstats needs to compute the moving average. You may not need to change this.</LI> <LI><CODE>earliest=-24h@h</CODE> in the first search. I just wanted to make the search time range explicit, so that the whole search makes sense. You could use the dropdown time range picker in the UI instead. But if you choose a different time range, you will definitely need to adjust the remaining time ranges in this list</LI> <LI><CODE>earliest=-16d</CODE> in the inner search. This should be set to at least 2 weeks + the time period in the first search. You may want to play with this a bit; i added an extra day to avoid having to worry about partial days.</LI> <LI><CODE>where _time &gt; relative_time(now(),"-24h@h")</CODE> - this statement eliminates the extra events that are created by the inner search while computing the rolling average. The <CODE>-24h@h</CODE> must be the same time range as in the first search.</LI> </UL> <P>By default, the inner search will run over all time, so you really do need to constrain the time range of the inner search. </P> <P>Let me know if this works!</P> Tue, 15 May 2012 21:43:43 GMT https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51949#M12618 lguinn2 2012-05-15T21:43:43Z https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51950#M12619 <P>I am getting an error for the following line. It is complaining that "Error in 'eval' command: The operator at 'fields _time avgRP, series' is invalid"</P> <P>eval series = "moving avg RP"<BR /> fields _time, avgRP, series </P> <P>Thanks,</P> Wed, 16 May 2012 02:09:53 GMT https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51950#M12619 kunadkat 2012-05-16T02:09:53Z https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51951#M12620 <P>Oops, missing a pipe! I edited my answer above.</P> Wed, 16 May 2012 18:38:50 GMT https://community.splunk.com/t5/Splunk-Search/Plotting-2-week-moving-average-for-response-data/m-p/51951#M12620 lguinn2 2012-05-16T18:38:50Z