Dashboards & Visualizations

How to chart field1 by field2 and overlay by aggregate

kabSplunk
Explorer

I have two fields
field1 as response time
field 2 as instance name

I want to plot the response time by instance name and overlay the average response time of a single instance name.

Data is like
Instance1 responsetime1
Instance1 responsetime2
:
Instance1 responsetimeN
Instance2 responsetime1
Instance2 responsetime2
:
Instance2 responsetimeN
:
and so on.

So I want chart of responsetime by instance name and an overlay line of avg(responsetime) of only single instance say instance5

Can you please help.

Tags (1)
0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

HI KabSplunk,

Please try the following:

  1. Run the following search:

    sourcetye= | chart count, sum(responsetime) AS total_responsetime by instance | eval avg_responsetime = total_responsetime/count

  2. After you get the statistics, go to Visualization.

  3. Select Column Chart.

  4. Click Format and select ** Chart Overlay**.

  5. In the Overlay field, type avg_responsetime.

You should see total_responsetime as columns on the y axis overlayed by the avg_bytes values. Instances are on the x axis.

Hope it helps. Thanks!
Hunter

View solution in original post

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

HI KabSplunk,

Please try the following:

  1. Run the following search:

    sourcetye= | chart count, sum(responsetime) AS total_responsetime by instance | eval avg_responsetime = total_responsetime/count

  2. After you get the statistics, go to Visualization.

  3. Select Column Chart.

  4. Click Format and select ** Chart Overlay**.

  5. In the Overlay field, type avg_responsetime.

You should see total_responsetime as columns on the y axis overlayed by the avg_bytes values. Instances are on the x axis.

Hope it helps. Thanks!
Hunter

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

The search string was not correctly displayed; should be:

sourcetye= my_sourcetype | chart count, sum(responsetime) AS total_responsetime by instance | eval avg_responsetime = total_responsetime/count

0 Karma

kabSplunk
Explorer

Thanks. I had got it fixed

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...