topic Re: time chart only computing the first part of the calculation in Splunk Search

time chart only computing the first part of the calculation

splunk3341 — Mon, 10 Jan 2022 18:27:32 GMT

Hello,

I am working with the timechart command on my following query and I am running into some problems.

I am trying to compute:
timechart span=15m sum(ofAField) as sumOfField, avg(sumOfField) as avgOfField by task

My problem with this one is that when I run it. I get the correct output for the first task but the out for the rest of the task are wrong. I am assuming that for the rest of the tasks only the sum portion of the time chart query is being calculated and not the avg. For background context there are about 11 different task this time chart is being grouped by.

TIA

Re: time chart only computing the first part of the calculation

richgalloway — Mon, 10 Jan 2022 18:40:39 GMT

I'm 99% sure you can't daisy-chain expressions like that - at least not successfully. Try computing the sum and average in different commands, something like this:

| bin span=15m _time | stats sum(ofAField) as sumOfField by _time,task | timechart span=15m avg(sumOfField) as avgOfField by task

Re: time chart only computing the first part of the calculation

splunk3341 — Mon, 10 Jan 2022 21:50:05 GMT

Hi,

Thank you for your input. I tried you suggestion but I get the same error as when I daisy-chain them.

Re: time chart only computing the first part of the calculation

richgalloway — Tue, 11 Jan 2022 01:04:54 GMT

Please tell us more about the error. What results are expected and what do you get?

Re: time chart only computing the first part of the calculation

bowesmana — Tue, 11 Jan 2022 05:59:15 GMT

If I understand you correctly, you are getting the sum of "ofAField" in a 15 minute period. In that case, what exactly should the average show for that 15 minute period - I am assuming you are looking for a flat line of the average across your time range.

In that case, you would do this

The last two lines are what you want, i.e. you first take the sum of 'ofAfield" and then use eventstats to compute the average

Then using a bar chart with an overlay of the average fields you can produce this sort of output - is this what you wanted?