Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on average line which is dont displayed

jip31
Motivator
‎04-19-2021 01:17 AM

hi

 

I wonder why my verage line is not displayed in my timechart?

 

        <search>
          <query>`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| timechart span=24h avg(process_cpu_used_percent) as "CPU used" by host useother=false 
| eventstats avg("CPU used") as Average 
| eval Average=round(Average,0)</query>
          <earliest>-30d@h</earliest>
          <latest>@d</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.text">Date</option>
        <option name="charting.axisTitleY.text">CPU used (%)</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">Average</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"T6999": DC4E41, "T5473": 53A051, "T5470": 0847EE, "Average":0xFF5A09}</option>
        <option name="charting.fieldDashStyles">{"CPU used":"solid"}</option>
        <option name="charting.fontColor">#000000</option>
        <option name="charting.lineWidth">4px</option>
        <option name="height">400</option>
        <option name="refresh.display">progressbar</option>
      </chart>

 

thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 06:12 AM

You can only overlay one line not three, although you could calculate the three averages

`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| bin _time span=24h
| stats avg(process_cpu_used_percent) as "CPU used" by _time host
| eventstats avg("CPU used") as Average by host
| eval Average=round(Average,1)
| chart values("CPU used") as "CPU used" values(Average) as Average by _time host

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 03:05 AM

timechart doesn't give you a column called "CPU used" so there is nothing to average. You could try breaking the timechart up

`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| bin _time span=24h
| stats avg(process_cpu_used_percent) as "CPU used" by _time host
| eventstats avg("CPU used") as Average 
| eval Average=round(Average,0)
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-19-2021 03:15 AM

OK thanks

Yes I can see now an average with | eval Average=round(Average,1)

but the chart line is very astonishing

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 03:28 AM

Not sure what that means - is it good? or not what you expected?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-19-2021 04:05 AM

It's an half of what expected because I would like to found a solution for having an average even if i use 

 

| timechart span=24h avg(process_cpu_used_percent) as "CPU used" by host

 

If I delete the "by host" I am able to do an average but I really need to have 3 lines in my tumechart corresponding to my 3 host

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 04:21 AM

If you remove by host, you are getting average cpu used by 24h span. If this the average you want, rather than the overall average across your time range?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-19-2021 05:42 AM

I mean something like this

It works, I have the average but I have just one  line intread 3 obvioulsly

Spoiler
| timechart span=24h avg(process_cpu_used_percent) as "CPU used" useother=false 
| eventstats avg("CPU used") as Average 
| eval Average=round(Average,1)

So I would like the same think with 3 lines by host but not sure is it possible with a timechart

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 06:12 AM

You can only overlay one line not three, although you could calculate the three averages

`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| bin _time span=24h
| stats avg(process_cpu_used_percent) as "CPU used" by _time host
| eventstats avg("CPU used") as Average by host
| eval Average=round(Average,1)
| chart values("CPU used") as "CPU used" values(Average) as Average by _time host
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...