Deployment Architecture

30 minute time bucket vs 2 day time


I know this can be done with an append, but I am pretty sure this is possible just via evals. Please help me out if possible.

Index=source earliest=-48h@h 
| bin _time span=15m 
| search CustomName=Place123
| eventstats avg(RawStatus_Avg) AS perHour by _time 
| timechart span=60m avg(perHour) as Total by CustomName
| eval threshold=relative_time(now(),"-30m") 
| stats avg(eval(_time<threshold)) as Old avg(eval(_time>threshold)) as Current by Total
| eval OldAvgCnt=Old/95 
| eval ratio=Current/OldAvgCnt 
| table ratio

I am trying to see the last 30 minutes vs. the last 48 hours both with lines on a chart.


0 Karma

Re: 30 minute time bucket vs 2 day time


Hey Joshua,

I've gone a little back and forth on this one in terms of how to approach it. From what I can gather, your requirements are as follows:

  • You want to see the latest 30 minutes on a line chart
  • You want to see the average for the last 48 hours on the same line chart
  • You want to be able to change the "CustomName" field to define which CustomName field value you're looking for

The solution I've come up with relies primarily on the timewrap and the foreach commands. If I'm understanding the problem correctly, this should satisfy all three of the requirements:

index=source earliest=-48h@h 
| bin _time span=5m 
| search CustomName="Place123" 
| chart avg(RawStatus_Avg) AS perHour OVER _time by CustomName 
| timewrap 30minutes 
| fillnull value=0 
| eval counter=0, priorAvg=0 
| foreach *before 
    [ eval priorAvg=if(isnotnull(<<FIELD>>), <<FIELD>>+priorAvg, priorAvg), counter=counter+1] 
| eval priorAvg=priorAvg/counter 
| rename *_latest_30minutes AS *_Current 
| table _time *_Current priorAvg

The priorAvg field displays your average over the last 48 hours, while the *_Current field shows current values in the last 30 minutes. I've used 5 minute buckets instead of 15 to give you a few more chart plot points, but that can be changed if you require.

I'm also unclear on how the ratio field plays into the question, but you can re-add it onto the chart if you'd like by adding this:

| foreach *_Current 
    [ eval <<MATCHSTR>>_Ratio = <<FIELD>> / priorAvg] 
| table *_Ratio

If I'm misunderstanding the question, or if anything isn't working as expected, please let me know. I am also here to assist if anything doesn't make sense.

Best of luck!

0 Karma

Re: 30 minute time bucket vs 2 day time


Solved it.

index=words earliest=-48h@h
| search CustomrName=place123
| eval StartTime=relativetime(now(),"-15m@m")

| eval Series= if(
| eval Hour = strftime(time,"%H")
| timechart avg(RawStatus
Avg) by Series

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.