topic Re: timechart / chart in Splunk Search

timechart / chart

tmarlette — Mon, 14 Apr 2014 15:49:18 GMT

I know I've done this before, and I've completely forgotten, and I didn't see anything in the documentation on how to chart a value over time of a field. Im' having a complete brain fart.

I am attempeint to chart the value of a field over time (in this case perfmon values)

this is my search:

sourcetype=Perfmon* object=Processor counter="% Processor Time" | timechart Value by host

Can someone please refresh my memory on how to do this?

Re: timechart / chart

somesoni2 — Mon, 14 Apr 2014 16:36:49 GMT

How about "|timechart first(Value) as Value by host"? You can use min or max as well, as long as you keep the span of timechart same as the frequency of events.

Re: timechart / chart

linu1988 — Mon, 14 Apr 2014 16:41:11 GMT

Hello,
you are doing it right

sourcetype=Perfmon* object=Processor counter="% Processor Time" instance=_Total| timechart avg(Value) span=1m by host

Thanks

Re: timechart / chart

tmarlette — Mon, 14 Apr 2014 16:47:56 GMT

What if I just wanted to chart the values, and not the averages?

Re: timechart / chart

martin_mueller — Mon, 14 Apr 2014 16:49:51 GMT

Note, by default Windows Performance Monitor events suppress zero values, giving you inaccurate averages in many cases.
If that's an issue you can force zeroes to be reported through the input.conf stanzas by setting showZeroValue=1.

Re: timechart / chart

linu1988 — Mon, 14 Apr 2014 16:52:35 GMT

The interval you are collecting data that you can mention as span then it will give you the original value.

|timechart avg(Value) span=1m by host useother=f

|timechart per_minute(Value) by host useother=f

|timechart Values(Value) span=Monitored_Interval by host useother=f