Hi,
I have this on my splunk query
index=xxxxxxx sourcetype="xxxxxx" EXPRSSN=IBM4D* | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | table EXPRSSN DATE MIPS | eval _time=strptime(DATE." "."00:00:00","%Y-%m-%d %H:%M:%S") | chart values(MIPS) over _time by EXPRSSN
I wanted to add a linear trendline on my chart. Hoping I could re-create this
How do I customize also the my line chart? I wanted to have the other one filled as well. I am getting the one in below from splunk
To easily summarize values over time, you can use the timechart command:
index=xxxxxxx sourcetype="xxxxxx" EXPRSSN=IBM4D*
| timechart span=1d avg(MIPS) ```or max(MIPS), p90(MIPS), etc.```Core Splunk does not include a linear trendline command, but you can create one yourself using SPL. See https://wiki.splunk.com/Community:Plotting_a_linear_trendline for an old example.
Splunk Machine Learning Toolkit does include a linear regression algorithm for the fit command:
index=xxxxxxx sourcetype="xxxxxx" EXPRSSN=IBM4D*
| timechart span=1d avg(MIPS) as MIPS
| fit LinearRegression MIPS from _timeYou can visualize your data as an area chart and then configure predicted(MIPS) as an overlay to show a linear trend.
Here's an example using Splunk introspection events:
| tstats max(data.normalized_pct_cpu) as pct_cpu where index=_introspection host=splunk by _time span=10s
| fit LinearRegression pct_cpu from _time
I'm not sure what the red line in your chart represents. If you want to add a moving average to your chart, you can use the trendline command:
| tstats max(data.normalized_pct_cpu) as pct_cpu where index=_introspection host=splunk by _time span=10s
| trendline sma6(pct_cpu)
| fit LinearRegression pct_cpu from _time
