Solved: Add sum of two values to timeseries chart

_smp_ · ‎02-21-2016

Hello, brand new Splunk user here getting my feet wet with the product, but I may be asking too much of myself at this point. We'll see.

I have a Windows forwarder sending messages to an Indexer on Linux. The forwarder is configured to send CPU stats, and the events are split between "% User TIme" and "% Processor Time". There is one event from each type sent every 10 seconds. I managed to create a timeseries chart with two lines - one line for % User TIme, and another line for % User time. Here is my search:

index=main source="Perfmon:CPU Load" | timechart max(Value) by counter

What I'd like to do now is add a third line representing the sum of these two values at a given point. So for example say at 10:00:00, I get an event with % User Time = 10 and % Processor Time = 20. At this point, I'd like a third line representing the sum of those two values (10 + 20 = 30), but overlaid on the same chart.

I have spent a few hours now reading the doc, Answers, and experimenting, but haven't come close. Seems like it should be pretty simple?

somesoni2 · ‎02-21-2016

What you need is "addtotals" command. See more details here.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addtotals

View solution in original post

somesoni2 · ‎02-21-2016

What you need is "addtotals" command. See more details here.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addtotals

_smp_ · ‎02-23-2016

Yep, that was it. Just had to add an additional pipe to my search:

index=main source="Perfmon:CPU Load" | timechart max(Value) by counter | addtotals *Time Total row=t

Easy! Thanks so much!!!

Add sum of two values to timeseries chart

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!