topic Re: Timechart with two different spans in Splunk Search

Timechart with two different spans

lukeh — Wed, 30 Oct 2013 00:05:39 GMT

Hi 🙂

I have a chart with one line for Usage (span=1d) and another line for 95th_Percentile (span=30d) but I am using "append" with "makecontinuous _time" - there has gotta be a better way...

Any help would be greatly appreciated 🙂

index=summary_blah report="CDN1"
| addtotals *Octets*
| fields + Total
| timechart span=1d max(Total) as Usage
| append [search index=summary_blah report="CDN1"
| addtotals *Octets*
| fields + Total
| timechart span=30d perc95(Total) as 95th_Percentile]
| eval Licence_Limit=96
| makecontinuous _time

Thanks in advance,

Luke 🙂

Re: Timechart with two different spans

sideview — Wed, 30 Oct 2013 00:39:49 GMT

I would pursue something like this.

it gets data off disk only once, does the extra-pass-magic in eventstats instead of gunzipping raw events twice.
I've kinda ignored your addtotals Octets here, but I think you can figure out how to get it back.

  index=summary_mediacap report="CDN1"
| eval day=_time 
| bin day span="1d"
| eval 30DayBucket=_time
| bin 30DayBucket span=30d
| eventstats max(Total) as Usage by day
| eventstats perc95(Total) as 95th_Percentile by 30DayBucket 
| eval Licence_Limit=96
| timechart span="1d" last(Licence_Limit) as Licence_Limit last(95th_Percentile) as 95th_Percentile last(Usage) as Usage

Re: Timechart with two different spans

lukeh — Wed, 30 Oct 2013 00:48:26 GMT

Thanks Nick!