Deployment Architecture

30 minute time bucket vs 2 day time

JoshuaJohn
Contributor

I know this can be done with an append, but I am pretty sure this is possible just via evals. Please help me out if possible.

Index=source earliest=-48h@h 
| bin _time span=15m 
| search CustomName=Place123
| eventstats avg(RawStatus_Avg) AS perHour by _time 
| timechart span=60m avg(perHour) as Total by CustomName
| eval threshold=relative_time(now(),"-30m") 
| stats avg(eval(_time<threshold)) as Old avg(eval(_time>threshold)) as Current by Total
| eval OldAvgCnt=Old/95 
| eval ratio=Current/OldAvgCnt 
| table ratio

I am trying to see the last 30 minutes vs. the last 48 hours both with lines on a chart.

Thanks,

0 Karma
1 Solution

JoshuaJohn
Contributor

Solved it.

index=words earliest=-48h@h
| search CustomrName=place123
| eval StartTime=relative_time(now(),"-15m@m")

| eval Series= if(_time>=StartTime,"Last_15_Minutes","Two_Day_Avg")
| eval Hour = strftime(_time,"%H")
| timechart avg(RawStatus_Avg) by Series

View solution in original post

0 Karma

JoshuaJohn
Contributor

Solved it.

index=words earliest=-48h@h
| search CustomrName=place123
| eval StartTime=relative_time(now(),"-15m@m")

| eval Series= if(_time>=StartTime,"Last_15_Minutes","Two_Day_Avg")
| eval Hour = strftime(_time,"%H")
| timechart avg(RawStatus_Avg) by Series

0 Karma

rbechtold
Communicator

Hey Joshua,

I've gone a little back and forth on this one in terms of how to approach it. From what I can gather, your requirements are as follows:

  • You want to see the latest 30 minutes on a line chart
  • You want to see the average for the last 48 hours on the same line chart
  • You want to be able to change the "CustomName" field to define which CustomName field value you're looking for

The solution I've come up with relies primarily on the timewrap and the foreach commands. If I'm understanding the problem correctly, this should satisfy all three of the requirements:

index=source earliest=-48h@h 
| bin _time span=5m 
| search CustomName="Place123" 
| chart avg(RawStatus_Avg) AS perHour OVER _time by CustomName 
| timewrap 30minutes 
| fillnull value=0 
| eval counter=0, priorAvg=0 
| foreach *before 
    [ eval priorAvg=if(isnotnull(<<FIELD>>), <<FIELD>>+priorAvg, priorAvg), counter=counter+1] 
| eval priorAvg=priorAvg/counter 
| rename *_latest_30minutes AS *_Current 
| table _time *_Current priorAvg

The priorAvg field displays your average over the last 48 hours, while the *_Current field shows current values in the last 30 minutes. I've used 5 minute buckets instead of 15 to give you a few more chart plot points, but that can be changed if you require.

I'm also unclear on how the ratio field plays into the question, but you can re-add it onto the chart if you'd like by adding this:

 ...BASE SEARCH... 
| foreach *_Current 
    [ eval <<MATCHSTR>>_Ratio = <<FIELD>> / priorAvg] 
| table *_Ratio

If I'm misunderstanding the question, or if anything isn't working as expected, please let me know. I am also here to assist if anything doesn't make sense.

Best of luck!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...