https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602204#M209613 <LI-CODE lang="markup">index=example_dev | bin span=1m _time | stats dc(TEST_ID) as count_of_testid by _time | eventstats avg(count_of_testid) as average_dc</LI-CODE> Fri, 17 Jun 2022 07:52:29 GMT ITWhisperer 2022-06-17T07:52:29Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602187#M209604 <P>Hello everyone!<BR /><BR />I want to combine two searches or find another solution. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Here my problem:<BR />I need a timechart where i can show the occurences of some ID´s (example for an ID: 345FsdEE344FED- 354235werfDF2) and put an average line over it.<BR /><BR />Graph Idea:<BR />Orange: Timechart with a distinct count for the ID´s<BR />Green: Stats with average for the count of the ID´s</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="klischatb_0-1655445769136.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20145i17F3185D19F7A636/image-size/medium?v=v2&amp;px=400" role="button" title="klischatb_0-1655445769136.png" alt="klischatb_0-1655445769136.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=example_dev | bin span=1m _time | stats dc(TEST_ID) as count_of_testid by _time</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>For the timeframe i want to be flexibel but for the span 15 minutes are ok.<BR /><BR />Thank you all a lot and have a nice day.</P> Fri, 17 Jun 2022 06:10:53 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602187#M209604 klischatb 2022-06-17T06:10:53Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602188#M209605 <P>I tried to adapt this solutions but for my ID´s i didnt found the right way to do it.<BR /><A href="https://community.splunk.com/t5/Splunk-Search/How-to-overlay-a-straight-line-showing-the-average-time-taken/m-p/214020" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-to-overlay-a-straight-line-showing-the-average-time-taken/m-p/214020</A></P> Fri, 17 Jun 2022 06:12:57 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602188#M209605 klischatb 2022-06-17T06:12:57Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602189#M209606 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/189747">@klischatb</a>,</P><P>you can use the join command as used in the License Consuption report, or append, like the following example that I tried on my environemtn and runs:</P><LI-CODE lang="markup">index=_internal | bin span=10m _time | stats max(linecount) AS linecount BY _time | append [ search index=_internal | bin span=10m _time | stats avg(linecount) AS average BY _time ] | stats values(linecount) AS linecount values(average) AS average BY _time</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Jun 2022 06:26:21 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602189#M209606 gcusello 2022-06-17T06:26:21Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602192#M209607 <P>Unfortunately, this does not work, but thank you very much for this information.<BR />The IDs are not numeric fields, so the max command will not work.<BR />I had thought about eventstats, but I couldn't find a solution with testing.</P> Fri, 17 Jun 2022 06:52:44 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602192#M209607 klischatb 2022-06-17T06:52:44Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602199#M209610 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/189747">@klischatb</a>,</P><P>you could try to make the avg of dc(TEST_ID), something like this:</P><LI-CODE lang="markup">index=your_index | bin span=1m _time | stats dc(TEST_ID) as count_of_testid BY _time | append [ search index=your_index | bin span=1m _time | stats avg(dc(TEST_ID)) as avg_of_dc_testid BY _time ] | stats values(count_of_testid) AS count_of_testid values(avg_of_dc_testid) AS avg_of_dc_testid BY _time</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Jun 2022 07:25:04 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602199#M209610 gcusello 2022-06-17T07:25:04Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602204#M209613 <LI-CODE lang="markup">index=example_dev | bin span=1m _time | stats dc(TEST_ID) as count_of_testid by _time | eventstats avg(count_of_testid) as average_dc</LI-CODE> Fri, 17 Jun 2022 07:52:29 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602204#M209613 ITWhisperer 2022-06-17T07:52:29Z https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602219#M209622 <P>This works!<BR /><BR />Thank you very much.<BR /><BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<BR /><BR />and thank you too.&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR /><BR />Have a nice day.</P> Fri, 17 Jun 2022 09:16:31 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-timechart-with-average-line/m-p/602219#M209622 klischatb 2022-06-17T09:16:31Z