topic Re: How can I normalize timechart with field values having wide variation in Splunk Search

How can I normalize timechart with field values having wide variation

smiththebest — Fri, 12 Apr 2019 16:48:53 GMT

Have a log file that has http response codes in a particular field. I am doing timechart on it but as the 200 responses are in millions and 4xx and 5xx are in thousands, any deviation of 4xx/5xx is not easily visible. I have to create charts for individual response code to see it. How can I put all response codes in the same timechart and normalize so that any deviations in any response code easily visible?

index=xyz sourcetype=*log | timechart span=5m count by http_rc | ....

Re: How can I normalize timechart with field values having wide variation

adonio — Fri, 12 Apr 2019 17:44:11 GMT

many ways to go about it,

you can use the log button and not the linear button
you can use a single value visualization with trellis
you can present the percent of events from the count
and other ways

try this query anywhere and work with different options:

  | gentimes start=-2 increment=5m
    | eval _time = starttime
    | eval http_rc = "200,404,500"
    | makemv delim="," http_rc
    | mvexpand http_rc
    | eval count_of_code = case(http_rc=="200",random()%200000 + 1000,http_rc=="404",random()%20,http_rc=="500",random()%30)
    | timechart span=10m sum(count_of_code) as total_count by http_rc

some screen shots for reference:

Re: How can I normalize timechart with field values having wide variation

smiththebest — Sat, 13 Apr 2019 13:52:39 GMT

Thank you so much, that is what I have been looking for and did not find in answers or was not able to locate!