How to create a chart line overlay to display medi...

mcomfurf · ‎01-22-2015

I have a search like this:

index=wilee sourcetype=foo OR sourcetype=foo2 
|  transaction fields="acme,coyote" maxevents=2 keeporphans=f endswith="beepbeep" startswith="genius" 
| rangemap field=duration "0-1m"=0-60 "1-2m"=60.0001-120 "2-5m"=120.00001-300 "5-10m"=300.00001-600 ">10m"=600.00001-9999999  
| timechart span=1h count by range

This makes for a nice stacked column showing me distributions of durations by hour. I'd like to overlay a line on a secondary Y axis to display median durations by hour, eg

index=wilee sourcetype=foo OR sourcetype=foo2  |  transaction fields="acme,coyote" maxevents=2 keeporphans=f endswith="beepbeep" startswith="genius"  | timechart span=1h perc50(duration)

...but I'm struggling. Splunk's examples use a large dataset for axis y1, and then a subset of that for y2.

thomrs · ‎01-22-2015

Take a look at stream stats. This will let you add the mean to all events so it will be aviable as a field in your event and easily add it to your final timechart.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/streamstats#Examples

How to create a chart line overlay to display median duration by hour on a stacked column graph?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor