https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480319#M134627 <P>Hello!</P> <P>I'm trying to build a table showing the monthly averages of a calculation for "OEE" by a Machine field.<BR /> I then want to drill down on the month selected to show worst offending machine and the downtime reasons (both fields in the data).</P> <P>The data is coming from DBX and therefore the date is contained in two fields "StartTime" and "StopTime" the events and not _time.</P> <P>This search provides the table I need for <STRONG>August</STRONG>:</P> <PRE><CODE>index=dbx MachID=oven* | where StartTime&gt;=1564617600 AND StopTime&lt;1567296000 AND StopTime&gt;0 | lookup machines.csv MachID OUTPUTNEW Machine | eval StartTime_Human=strftime(StartTime,"%a %B %d %Y %H:%M:%S"), StopTime_Human=strftime(StopTime,"%a %B %d %Y %H:%M:%S"), TotTimeHrs=TotTime/3600, DownTimeHrs=(DownTime/3600), SchedHrs=(SchedQty/ExpCycTm)/60+3 | eval OEE-A-ROTO=((TotTimeHrs)-(DownTimeHrs))/(TotTimeHrs) | stats avg(SchedHrs) AS SchedHrsAvg, avg(OEE-A-ROTO) AS OEE-A-ROTO, sum(TotTimeHrs) AS TotTimeHrsSum BY JobID, Machine | eval OEE-P-ROTO=SchedHrsAvg/TotTimeHrsSum | eval OEE-ROTO=('OEE-A-ROTO'*'OEE-P-ROTO'*0.97) | stats avg(OEE-ROTO) AS OEE by Machine | eval OEE=round(OEE*100)."%" </CODE></PRE> <P>Which provides this:</P> <PRE><CODE>Machine OEE Oven2 86% Oven3 88% Oven4 84% Oven5 80% Oven6 88% </CODE></PRE> <P>What I would actually like this to be is:</P> <PRE><CODE>Machine JAN FEB MAR APR MAY JUN JUL AUG Oven2 86% 86% 86% 86% 86% 86% 86% 86% Oven3 88% 84% 86% 86% 86% 86% 86% 86% Oven4 84% 86% 86% 86% 86% 86% 86% 80% Oven5 80% 86% 86% 86% 86% 86% 86% 80% Oven6 88% 86% 86% 86% 86% 86% 86% 80% </CODE></PRE> <P>Thanks for the help!<BR /> Cheers<BR /> John</P> Thu, 12 Sep 2019 16:07:57 GMT johnansett 2019-09-12T16:07:57Z https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480319#M134627 <P>Hello!</P> <P>I'm trying to build a table showing the monthly averages of a calculation for "OEE" by a Machine field.<BR /> I then want to drill down on the month selected to show worst offending machine and the downtime reasons (both fields in the data).</P> <P>The data is coming from DBX and therefore the date is contained in two fields "StartTime" and "StopTime" the events and not _time.</P> <P>This search provides the table I need for <STRONG>August</STRONG>:</P> <PRE><CODE>index=dbx MachID=oven* | where StartTime&gt;=1564617600 AND StopTime&lt;1567296000 AND StopTime&gt;0 | lookup machines.csv MachID OUTPUTNEW Machine | eval StartTime_Human=strftime(StartTime,"%a %B %d %Y %H:%M:%S"), StopTime_Human=strftime(StopTime,"%a %B %d %Y %H:%M:%S"), TotTimeHrs=TotTime/3600, DownTimeHrs=(DownTime/3600), SchedHrs=(SchedQty/ExpCycTm)/60+3 | eval OEE-A-ROTO=((TotTimeHrs)-(DownTimeHrs))/(TotTimeHrs) | stats avg(SchedHrs) AS SchedHrsAvg, avg(OEE-A-ROTO) AS OEE-A-ROTO, sum(TotTimeHrs) AS TotTimeHrsSum BY JobID, Machine | eval OEE-P-ROTO=SchedHrsAvg/TotTimeHrsSum | eval OEE-ROTO=('OEE-A-ROTO'*'OEE-P-ROTO'*0.97) | stats avg(OEE-ROTO) AS OEE by Machine | eval OEE=round(OEE*100)."%" </CODE></PRE> <P>Which provides this:</P> <PRE><CODE>Machine OEE Oven2 86% Oven3 88% Oven4 84% Oven5 80% Oven6 88% </CODE></PRE> <P>What I would actually like this to be is:</P> <PRE><CODE>Machine JAN FEB MAR APR MAY JUN JUL AUG Oven2 86% 86% 86% 86% 86% 86% 86% 86% Oven3 88% 84% 86% 86% 86% 86% 86% 86% Oven4 84% 86% 86% 86% 86% 86% 86% 80% Oven5 80% 86% 86% 86% 86% 86% 86% 80% Oven6 88% 86% 86% 86% 86% 86% 86% 80% </CODE></PRE> <P>Thanks for the help!<BR /> Cheers<BR /> John</P> Thu, 12 Sep 2019 16:07:57 GMT https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480319#M134627 johnansett 2019-09-12T16:07:57Z https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480320#M134628 <P>Hi johnansett,<BR /> your search is probably very slow because in the main search you haven't _time field, it could be useful to create the _time field in the extraction query in DBX (obviously in epochtime format).</P> <P>At first, you don't need the first where command: you can put the filters in the main search that is better!</P> <PRE><CODE>index=dbx MachID=oven* StartTime&gt;=1564617600 AND StopTime&lt;1567296000 AND StopTime&gt;0 </CODE></PRE> <P>Then, the following fields are in the main search results? TotTime, DownTime, SchedQty, ExpCycTm ; otherwise I don't understand how you calculate them.</P> <P>Anyway, you can use bin and chart commands to have something near timechart, e.g.:</P> <PRE><CODE>| bin StartTime span=1d | chart sum(TotTimeHrs) AS TotTimeHrs OVER StartTime BY Machine </CODE></PRE> <P>Adapting it to your search.</P> <P>Bye.<BR /> Giuseppe</P> Thu, 12 Sep 2019 17:14:55 GMT https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480320#M134628 gcusello 2019-09-12T17:14:55Z https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480321#M134629 <P>Hi Giuseppe,</P> <P>Thanks for the input. I will try that. I'm not sure it will work with the data but I will test and see.</P> Thu, 12 Sep 2019 17:46:42 GMT https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480321#M134629 johnansett 2019-09-12T17:46:42Z https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480322#M134630 <P>good work!<BR /> Bye.<BR /> Giuseppe</P> Thu, 12 Sep 2019 17:51:38 GMT https://community.splunk.com/t5/Splunk-Search/Table-of-monthly-or-weekly-averages-using-epoch-time-in-field/m-p/480322#M134630 gcusello 2019-09-12T17:51:38Z