topic Re: Convert to Timechart in Splunk Search

Convert to Timechart

SplunkBaby — Tue, 18 Feb 2014 10:20:47 GMT

My search string is
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count|eval Average=total /Count|table field total ,Count,Average

Actually I want to produce a timechart report and _time on X axis and Average on Y axis.
Can anybody help me to convert the above search to timechart format.

Re: Convert to Timechart

emaccaferri — Tue, 18 Feb 2014 11:24:25 GMT

You should change stats in eventstats, in this way you keep _time fild along the search. After that you can use timechart, you can also use math inline with it
timechart span=1h eval(total/Count) as Average.

Re: Convert to Timechart

SplunkBaby — Tue, 18 Feb 2014 14:08:22 GMT

I tried this and getting the error
Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

(host=A AND "ER"=ABC ) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count |timechart span=1h eval(TotalVisit/Count) by "ER Code"

Re: Convert to Timechart

emaccaferri — Tue, 18 Feb 2014 14:22:42 GMT

try
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | eventstats sum(field)total ,count("user") as Count|eval Average=total /Count| timechart span=1h Average

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | timechart span=1h eval(sum(field)/count("user")) as Average

Re: Convert to Timechart

somesoni2 — Tue, 18 Feb 2014 14:32:10 GMT

Try this

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | bucket _time span=1d | stats sum(field) as total ,count(user) as Count by _time |eval Average=total/Count | timechart span=1d max(Average) as Average

Change the span value as per your need in bucket and timechart command (currently showing for 1 day).(both should match)

Re: Convert to Timechart

SplunkBaby — Tue, 18 Feb 2014 15:29:15 GMT

Both of this solution's doesn't work

Re: Convert to Timechart

SplunkBaby — Wed, 19 Feb 2014 07:57:12 GMT

when i run the below query
....| stats sum(Visits) as TotalVisit,count("USER_NAME") as Count|eval Average=TotalVisit/Count|table field TotalVisit,Count,Average
Output is 212 ,2, 106.
I need to convert this query to timechart base.
I convert the above query to your recommendation and i am not getting 4002 rows with _time but averge is not displayed.I use span=1m in both place.
Correct me if i am wrong.
basic purpose of my query is
1)calculate average(based on total and count) value on different time stamps.I would like to get the _time form host=B.
_time of 2 host are different.

Re: Convert to Timechart

Ayn — Wed, 19 Feb 2014 08:25:08 GMT

FWIW - I think you should learn about how timechart works instead of asking the community to give you ready-made solutions.