Archive
Highlighted

Add a independent trendline in splunk

Path Finder

I am having the chart with durations, I want to add a line over the chart with values as avg(duration). I used below query, it works perfectly.

index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" | dedup processLogId| sort -splunkId |search endDate !=null AND status='COMPLETED' |eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
 |eval _time=start_epoch
 |eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
 |eval duration=round((end_epoch-start_epoch)/60)
  | chart values(duration) as duration by processLogId | eventstats avg(duration) as avg_duration

But now my requirement was changed that, Chart should based on last 30 days(may vary) and trendline should only based on last 7 days.

Kindly help me to do it

Tags (1)
Highlighted

Re: Add a independent trendline in splunk

SplunkTrust
SplunkTrust

hey @karthi

I got the answer for this question try the same search:

index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" | dedup processLogId| sort -splunkId |search endDate !=null AND status='COMPLETED' |eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
  |eval _time=start_epoch
  |eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
  |eval duration=round((end_epoch-start_epoch)/60)
   | chart values(duration) as duration by processLogId | eventstats avg(duration) as avg_duration

And then go to format>>chart overlay>>overlay>>select avg_duration
OR in XML just put <option name="charting.chart.overlayFields">avg_duration</option>

let me know if this helps!

View solution in original post

Highlighted

Re: Add a independent trendline in splunk

Path Finder

@mayurr98 Where can I give the time range for the trendline, because the time range for the chart and trendline is different right?

0 Karma
Highlighted

Re: Add a independent trendline in splunk

SplunkTrust
SplunkTrust

then do this with the settings as told above!

index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" 
| dedup processLogId 
| sort -splunkId 
| search endDate !=null AND status='COMPLETED' 
| eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N") 
| eval _time=start_epoch 
| eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N") 
| eval duration=round((end_epoch-start_epoch)/60) 
| chart values(duration) as duration by processLogId 
| appendcols 
    [ search index=cloudfoundry  earliest=-7d@h latest=now sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" 
    | dedup processLogId 
    | sort -splunkId 
    | search endDate !=null AND status='COMPLETED' 
    | eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N") 
    | eval _time=start_epoch 
    | eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N") 
    | eval duration=round((end_epoch-start_epoch)/60) 
    | chart values(duration) as duration by processLogId 
    | eventstats avg(duration) as avg_duration] 
| filldown avg_duration
0 Karma