https://community.splunk.com/t5/Splunk-Search/Line-Graphs-Dynamic-Line/m-p/37493#M8390 <P>Finally getting used to Splunk and have it importing my data from a database.</P> <P>Now I'm working on generating a line chart that plots out the recorded load to a database. We would like to look over a particular load and see how the load is across multiple days so we can identify unusual drops. This would include stuff like:</P> <P>Row_Count=123 Error_Count=0 Average_Row_Count=120 Tolerance_Percentage=10</P> <P>So I can plot out the Row, Average Row and Error fine.</P> <P>But now I want to include the Tolerance Percentage which is the standard deviation from the average row count, i.e. a line at 108 and a line at 132.</P> <P>| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT, list(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR) AS TOLERANCE_MIN BY LOAD_MNTR_RUN_ID, JOB_NAME</P> <P>Gives out about using *</P> <P>| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT BY LOAD_MNTR_RUN_ID, JOB_NAME | eval TOLERANCE_MIN=(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR)</P> <P>Just doesnt report TOLERANCE_MIN.</P> <P>Pretty sure I am missing something basic here..</P> Wed, 02 Feb 2011 22:43:14 GMT JohnDoyle 2011-02-02T22:43:14Z https://community.splunk.com/t5/Splunk-Search/Line-Graphs-Dynamic-Line/m-p/37493#M8390 <P>Finally getting used to Splunk and have it importing my data from a database.</P> <P>Now I'm working on generating a line chart that plots out the recorded load to a database. We would like to look over a particular load and see how the load is across multiple days so we can identify unusual drops. This would include stuff like:</P> <P>Row_Count=123 Error_Count=0 Average_Row_Count=120 Tolerance_Percentage=10</P> <P>So I can plot out the Row, Average Row and Error fine.</P> <P>But now I want to include the Tolerance Percentage which is the standard deviation from the average row count, i.e. a line at 108 and a line at 132.</P> <P>| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT, list(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR) AS TOLERANCE_MIN BY LOAD_MNTR_RUN_ID, JOB_NAME</P> <P>Gives out about using *</P> <P>| stats list(AVG_ROW_CNT_NBR) AS AVERAGE_ROW_COUNT, list(ROW_CNT_NBR) AS ROW_COUNT, list(ERR_CNT_NBR) AS ERROR_COUNT BY LOAD_MNTR_RUN_ID, JOB_NAME | eval TOLERANCE_MIN=(((AVG_ROW_CNT_NBR/100) * TLRNC_ALLOW_PCT) - AVG_ROW_CNT_NBR)</P> <P>Just doesnt report TOLERANCE_MIN.</P> <P>Pretty sure I am missing something basic here..</P> Wed, 02 Feb 2011 22:43:14 GMT https://community.splunk.com/t5/Splunk-Search/Line-Graphs-Dynamic-Line/m-p/37493#M8390 JohnDoyle 2011-02-02T22:43:14Z https://community.splunk.com/t5/Splunk-Search/Line-Graphs-Dynamic-Line/m-p/37494#M8391 <P>You dont want to use stats list like this. This will give you one result row that has lots of multi-valued values. Although it sort of looks like what you want, it isnt. </P> <P>I think this might be closer to what you're looking for: </P> <PRE><CODE>&lt;your search&gt; | eval Row_Count_Lower = Row_Count - Tolerance_Percentage | eval Row_Count_Upper = Row_Count + Tolerance_Percentage | | timechart avg(Row_Count_Lower) avg(Row_Count) avg(Row_Count_Upper) avg(Error_Count) span=1h </CODE></PRE> <P>The output of that chart will get graphed as 4 lines, and the legend will show that one of the lines is the Row_Count minus the tolerance, one is the Row_Count itself, one is the Row_Count plus the tolerance. </P> <P>If you're more interested in maxima and minima, just add in some <CODE>max(Row_Count_Upper)</CODE> etc as necessary.</P> <P>Note: If you're trying to generate graphs your best bet is to always use the <CODE>chart</CODE> and <CODE>timechart</CODE> commands. </P> <P><A href="http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions" rel="nofollow">http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions</A></P> Thu, 03 Feb 2011 03:31:40 GMT https://community.splunk.com/t5/Splunk-Search/Line-Graphs-Dynamic-Line/m-p/37494#M8391 sideview 2011-02-03T03:31:40Z