Solved: How to timechart multiple functions in one search?

naty · ‎01-18-2017

Hi,

i want to do a timechart with multiple functions, for example - timechart span=1h max(blabla) by boo1 avg(blabla) by boo1

this is my search:

index=myind source=mysrc | timechart span=1h avg(CPU_USAGE) by Process_Name

CPU_USAGE and Process_Name are made up, just so i can show the split-by clause.

what i would like to do is something like this:
index=myind source=mysrc | timechart span=1h avg(CPU_USAGE) by Process_Name, max(CPU_USAGE) by Process_Name

so the idea is to show on the same panel both the average & the maximum of the CPU_USAGE for each process name.
because there can only be one split-by clause, the above search won't help.

i tried using this:
index=myind source=mysrc | timechart span=1h avg(CPU_USAGE) by Process_Name | appendcols [search index=myind source=mysrc | timechart span=1h max(CPU_USAGE) by Process_Name]

but that's a heavy search that is not really good, i am doing twice the search for the same data 😞

help!

andrey2007 · ‎01-18-2017

index=myind source=mysrc | timechart span=1h avg(CPU_USAGE) max(CPU_USAGE) by Process_Name

View solution in original post

andrey2007 · ‎01-18-2017

index=myind source=mysrc | timechart span=1h avg(CPU_USAGE) max(CPU_USAGE) by Process_Name

naty · ‎01-21-2017

great!
Thank you!

How to timechart multiple functions in one search?

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to timechart multiple functions in one search?

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!