https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246879#M73599 <P>Try this</P> <PRE><CODE>[[search&gt;]] earliest=-30d@d latest=@d | bucket _time span=1d | stats count as Volume by _time | rename _time As Date | eval Date = strftime(Date, "%a, %b %d") | eventstats sum(Volume) as "Threshold Volume" | eval "Threshold Volume"='Threshold Volume' / 22| rename Volume as "Daily Volume" </CODE></PRE> Wed, 30 Sep 2015 15:57:03 GMT somesoni2 2015-09-30T15:57:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246877#M73597 <P>I'd like to plot in a timechart the count of events over the last 30 days.<BR /> In addition to this, I'd like another line which plots a line over the same period from a static value which is derived from the total of counts over the last month / 22.</P> <P>Whilst I have no problem displaying the count of events over 30 days, I'm unsure as to how to plot a static value (ie. calculate a static value and plot it against all times as a threshold).</P> <P>The following displays the average based on monthly count.</P> <PRE><CODE>[[search&gt;]] earliest=-30d@d latest=@d | bucket _time span=1d | stats count as Volume by _time | rename _time As Date | eval Date = strftime(Date, "%a, %b %d") | eventstats avg(Volume) as "Threshold Volume" | rename Volume as "Daily Volume" </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/691iBE4D986BB87414A8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>However I actually want the 'Threshold Volume' to instead be derived from Volume / 22. </P> <P>Thanks in advance for your help</P> Wed, 30 Sep 2015 06:56:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246877#M73597 trem 2015-09-30T06:56:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246878#M73598 <P>Hi,</P> <P>just add this to the end of your current search:</P> <PRE><CODE>... | eval "new Threshhold" = 'Threshold Volume' / 22 </CODE></PRE> <P>This simply calculates the value you want and puts it in a new field.<BR /> If you want the total Volume / 22 instead of the avg Volume / 22 as Threshold you need to change the avg in your eventstats to sum.</P> <P>Greetings</P> <P>Tom</P> Wed, 30 Sep 2015 14:08:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246878#M73598 tom_frotscher 2015-09-30T14:08:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246879#M73599 <P>Try this</P> <PRE><CODE>[[search&gt;]] earliest=-30d@d latest=@d | bucket _time span=1d | stats count as Volume by _time | rename _time As Date | eval Date = strftime(Date, "%a, %b %d") | eventstats sum(Volume) as "Threshold Volume" | eval "Threshold Volume"='Threshold Volume' / 22| rename Volume as "Daily Volume" </CODE></PRE> Wed, 30 Sep 2015 15:57:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246879#M73599 somesoni2 2015-09-30T15:57:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246880#M73600 <P>Thanks. That did the trick.</P> Wed, 30 Sep 2015 22:38:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246880#M73600 trem 2015-09-30T22:38:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246881#M73601 <P>Thanks Tom. Replacing avg() with sum() worked.</P> Wed, 30 Sep 2015 22:39:46 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-plot-a-static-value-over-time-that-is-derived-from-the/m-p/246881#M73601 trem 2015-09-30T22:39:46Z