topic How to plot differences of values over time? in Splunk Search

How to plot differences of values over time?

henry_chiang — Tue, 04 Apr 2023 10:35:53 GMT

hi all

I have a data set like this:

_time, duration, category

XXX, 0.145,A

XXY, 0.177,B

XXZ, 0.178, A

XXX, XXY,XXZ are _time

i plot a graph like timechart avg(duration) by category and it shows two lines perfectly

but I want to plot a graph over time of the differences between the two averages (two categories). How to do that?

Re: Plot differences of values over time

yuanliu — Tue, 04 Apr 2023 07:33:47 GMT

If you examine the stats table after timechart commands, you will see two columns A and B. Treat them the same as field names so you can calculate the difference. For example,

| timechart avg(duration) by category | eval diff = A - B | fields diff

Hope this helps.

Re: Plot differences of values over time

henry_chiang — Tue, 04 Apr 2023 21:27:42 GMT

Thanks it works fine!

but what if I did

timechart avg(duration),p95(duration) by category

then how do I properly rename the fields to do the calculation between the averages and the p95s?

Re: Plot differences of values over time

bowesmana — Tue, 04 Apr 2023 23:17:52 GMT

When you use timechart with split by, the columns are named with the aggregation + the split, so use this technique

| timechart span=15m avg(duration) as avg p95(duration) as p95 by category | foreach avg* [ eval "diff<<MATCHSTR>>"='p95<<MATCHSTR>>'-'<<FIELD>>' ]

By using 'as avg' and 'as p95' means you have consistent naming and you can then use the foreach, which will iterate all the avg: category fields and use the foreach tokens <<MATCHSTR>> and <<FIELD>> to reference the other fields.

So this will create fields diff: category which is the p95 - the avg. Note the use of SINGLE quotes on the right hand side and double quotes on the left!

Re: How to plot differences of values over time?

woodcock — Wed, 12 Apr 2023 17:25:56 GMT