Splunk Enterprise

help on average line which is dont displayed

jip31
Builder

hi

 

I wonder why my verage line is not displayed in my timechart?

 

        <search>
          <query>`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| timechart span=24h avg(process_cpu_used_percent) as "CPU used" by host useother=false 
| eventstats avg("CPU used") as Average 
| eval Average=round(Average,0)</query>
          <earliest>-30d@h</earliest>
          <latest>@d</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.text">Date</option>
        <option name="charting.axisTitleY.text">CPU used (%)</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">Average</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"T6999": DC4E41, "T5473": 53A051, "T5470": 0847EE, "Average":0xFF5A09}</option>
        <option name="charting.fieldDashStyles">{"CPU used":"solid"}</option>
        <option name="charting.fontColor">#000000</option>
        <option name="charting.lineWidth">4px</option>
        <option name="height">400</option>
        <option name="refresh.display">progressbar</option>
      </chart>

 

thanks in advance

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
Legend

You can only overlay one line not three, although you could calculate the three averages

`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| bin _time span=24h
| stats avg(process_cpu_used_percent) as "CPU used" by _time host
| eventstats avg("CPU used") as Average by host
| eval Average=round(Average,1)
| chart values("CPU used") as "CPU used" values(Average) as Average by _time host

View solution in original post

0 Karma

ITWhisperer
Legend

timechart doesn't give you a column called "CPU used" so there is nothing to average. You could try breaking the timechart up

`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| bin _time span=24h
| stats avg(process_cpu_used_percent) as "CPU used" by _time host
| eventstats avg("CPU used") as Average 
| eval Average=round(Average,0)
0 Karma

jip31
Builder

OK thanks

Yes I can see now an average with | eval Average=round(Average,1)

but the chart line is very astonishing

0 Karma

ITWhisperer
Legend

Not sure what that means - is it good? or not what you expected?

0 Karma

jip31
Builder

It's an half of what expected because I would like to found a solution for having an average even if i use 

 

| timechart span=24h avg(process_cpu_used_percent) as "CPU used" by host

 

If I delete the "by host" I am able to do an average but I really need to have 3 lines in my tumechart corresponding to my 3 host

0 Karma

ITWhisperer
Legend

If you remove by host, you are getting average cpu used by 24h span. If this the average you want, rather than the overall average across your time range?

0 Karma

jip31
Builder

I mean something like this

It works, I have the average but I have just one  line intread 3 obvioulsly

Spoiler
| timechart span=24h avg(process_cpu_used_percent) as "CPU used" useother=false 
| eventstats avg("CPU used") as Average 
| eval Average=round(Average,1)

So I would like the same think with 3 lines by host but not sure is it possible with a timechart

Tags (1)
0 Karma

ITWhisperer
Legend

You can only overlay one line not three, although you could calculate the three averages

`CPU` 
| fields process_cpu_used_percent host 
| search host=$tok_filterhost$ OR host=$tok_filterhost2$ OR host=$tok_filterhost3$ 
| bin _time span=24h
| stats avg(process_cpu_used_percent) as "CPU used" by _time host
| eventstats avg("CPU used") as Average by host
| eval Average=round(Average,1)
| chart values("CPU used") as "CPU used" values(Average) as Average by _time host

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!