topic Re: Create Timechart from multisearch in Splunk Search

Create Timechart from multisearch

andres91302 — Mon, 19 Apr 2021 14:09:53 GMT

Hello everyone!

I'm trying to create a time chart of a variable that I have to compute as a global percentage between two searches, but after reading the documentation in splunk I cant seem to find a way to do it right.

My orginal code looks like this:

| multisearch
[| search index="portalA"
| search py="X_O1"]
[| search index="portalA"
| search px="X_O3"]
| stats c(py) as START, c(px) as END
| eval P=round(100*END/START,1)
| fields P

now that I have calculated P (as the percestage) I would like to have this plot as a time chart that shows P for the last 10 days...

so I was including
| timechart count by R limit=10 span=1d at the end of my code, I will truly appreciate if someone can kindly help me thank you SO MUCH

Re: Create Timechart from multisearch

richgalloway — Mon, 19 Apr 2021 14:18:08 GMT

The timechart command requires the _time field, but fields P removed it. Try fields _time P and then add your timechart command (using "count P" rather than "count R").

Re: Create Timechart from multisearch

andres91302 — Mon, 19 Apr 2021 19:07:24 GMT

Hello! Thank you for reaching out to me... Thank you for pointing out a misspelled I had in my question... I just tried to add the code:

| timechart count by P span="1d"
at the begining I got nothng so I changed the command "stats" for "streamstats" after that got a weird result, I'd like to kindly explain that what I am trying to do is visualize a timechart with only the value of P for the last 10 days, to see if the current value of P now is below or above those of the 10 past days, but instead I have a table with numbers above 100 (which should not happen) ... I dont know if the best thing to do would be to calculate the last 10 days manualy.. thank you for any recomendation you can give me

Re: Create Timechart from multisearch

richgalloway — Tue, 20 Apr 2021 00:36:48 GMT

To see how the value of a single field changes over time, omit the 'by' clause.

... | timechart span=1d max(P) as P

Re: Create Timechart from multisearch

andres91302 — Tue, 20 Apr 2021 01:49:04 GMT

@richgalloway thank you so much I tried

... | timechart span=1d max(P) as P

and It gave me a max value for P thats over a 100 which for my data is imposible... 😞 I dont know if this is because the coude that I am using or because the command streamstats, but If I go to my dashboard and calculate the value dor P for "!yesterday" it always gives me a number below 100... I will be reading more about the documentation of streams stats THANK YOU FO MUCH FOR YOUR HELP @richgalloway it means the wrld to me you have no idea thank yu so much