https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114588#M30314 <P>5.0.1. Thanks.</P> Fri, 25 Oct 2013 02:39:22 GMT john_byun 2013-10-25T02:39:22Z https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114586#M30312 <P>I have the following search that gives me the ratio between the values from 2 separate searches. I'm sure it's pretty simple, but I'm struggling with putting this is a simple timechart. I want to see a line graph for the last 30 days plotting the 'ratio' value in 1 day increments. Also, how do I format the graph to only show tickmarks and labels for a each week instead of each day?</P> <P>sourcetype=production eventtype="completedTransaction" tag=pilot | stats count as transactions| join [search sourcetype=production eventtype="totalErrors" tag=pilot | transaction host maxspan=3m | stats count as errors] | eval ratio=(errors/transactions)*100 | fieldformat ratio=tostring(round(ratio,1))+"%"</P> Thu, 24 Oct 2013 23:45:34 GMT https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114586#M30312 john_byun 2013-10-24T23:45:34Z https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114587#M30313 <P>What version of Splunk are you using?</P> Fri, 25 Oct 2013 02:30:55 GMT https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114587#M30313 ShaneNewman 2013-10-25T02:30:55Z https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114588#M30314 <P>5.0.1. Thanks.</P> Fri, 25 Oct 2013 02:39:22 GMT https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114588#M30314 john_byun 2013-10-25T02:39:22Z https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114589#M30315 <P>There are two ways I see you can do this depending on what kind of results you want. If you want to plot <EM>each and every</EM> data point over time, it's as simple as adding this at the end of the search:</P> <PRE><CODE>| table _time ratio </CODE></PRE> <P>Because a line chart (or area, or similar) works by taking the first column of its input as the X axis value and the rest of the columns to be the value that should be plotted on the Y axis, it doesn't matter if these columns were generated by a <CODE>chart</CODE> command or not.</P> <P>One problem you will run into is that if you do this over a result set that includes many data points, your graph will take a long time to load or even drop data past a certain point - iirc the new JSChart module takes more datapoints than the FlashChart module that was previously used by default, but there's still a limit and there will still be performance issues even before you approach that limit. Because of this, <CODE>timechart</CODE> automatically divides the input into buckets of time and will output only one value per bucket. By default <CODE>timechart</CODE> will create a maximum of 100 buckets, which means that if you search the past 5 hours, each bucket will be 3 minutes long (300 minutes divided by 100 buckets = 3 minutes per bucket).</P> <P>Now, because <CODE>timechart</CODE> divides the events into buckets based on time, several events might end up in the same bucket, and <CODE>timechart</CODE> somehow needs to find a way of still representing only one value out of that. This is why you can't just simply do <CODE>timechart ratio</CODE> - you need to specify a statistical function that tells <CODE>timechart</CODE> what to do with its input. You could do <CODE>timechart first(ratio) as ratio</CODE> which unsurprisingly grabs the first value in each span and outputs that. You could use <CODE>last</CODE>, or <CODE>avg</CODE> to take an average, or <CODE>max</CODE>, or, or...</P> <P>tl;dr: For the <CODE>timechart</CODE> option, do something like</P> <PRE><CODE>sourcetype=production eventtype="completedTransaction" tag=pilot | stats count as transactions| join [search sourcetype=production eventtype="totalErrors" tag=pilot | transaction host maxspan=3m | stats count as errors] | eval ratio=(errors/transactions)*100 | fieldformat ratio=tostring(round(ratio,1))+"%" | timechart first(ratio) as ratio </CODE></PRE> Fri, 25 Oct 2013 06:44:55 GMT https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114589#M30315 Ayn 2013-10-25T06:44:55Z https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114590#M30316 <P>Sorry for taking so long to get back to you. I've tried both options and neither are working for me. Adding<BR /> | table _time ratio<BR /> shows me a blank line graph.<BR /> The timechart query shows no results found. Thoughts?</P> Mon, 28 Oct 2013 22:33:28 GMT https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114590#M30316 john_byun 2013-10-28T22:33:28Z https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114591#M30317 <P>Ah, I see now that you're doing a <CODE>stats</CODE> early in your search. After that stats command, the <CODE>_time</CODE> field will no longer be available. I don't know enough about your data to say how you would switch away from <CODE>stats</CODE>, but generally if you want to run stats against your events but without having it consume all fields, leaving only the aggregated results, switch to using <CODE>eventstats</CODE> instead. It will write its results as field values in the original events instead.</P> Tue, 29 Oct 2013 05:51:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-assistance-creating-a-timechart-using-a-calculated-value/m-p/114591#M30317 Ayn 2013-10-29T05:51:08Z