Re: Adding Outputs of a Search to Timechart

_gkollias · ‎06-12-2014

Hi All,

I'd like to add duration and last weeks avg duration values in to timechart to help display time better, however I'm not getting accurate results with what I have. Here is the search without timechart:

index=contract_gateway sourcetype=esb_audit  earliest=@d bp_bp_name=PO 
| stats first(svc_context_name) as svc_context_name, earliest(_time) as _time, latest(_time) as end_time, latest(status) as status, by svc_context_id, bp_context_id 
| eval duration=(end_time-_time)  
| join svc_context_name type=left  [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO  
      | stats avg(duration) as prev_week_avg_duration by svc_context_name]  
| where duration>(2*prev_week_avg_duration)  
|  bucket span=10m _time | table _time, duration, prev_week_avg_duration | sort - _time

Increasing bucket span doesn't help either. I know there needs to be something like
...| timechart span=10m max(duration) as current_duration, min(duration) as prev_week_avg_duration, but this isn't working.

Any suggestions would be greatly appreciated

Thanks!

lguinn2 · ‎06-12-2014

This is as close as I can get with the information you have provided....

index=contract_gateway sourcetype=esb_audit  earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, range(_time) as current_duration, earliest(_time) as timestamp, latest(status) as status, by svc_context_id, bp_context_id 
| bucket timestamp span=10m
| stats avg(current_duration) as current_duration by timestamp svc_context_name
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO  
      | stats avg(duration) as prev_week_avg_duration by svc_context_name ]  
| table svc_context_name timestamp current_duration prev_week_avg_duration

_gkollias · ‎06-12-2014

Sorry, I really appreciate the help, but this also doesn't work. The actual durations are off...there has to be a way! 🙂

_gkollias · ‎06-12-2014

There are only two variables, and that is the duration and prev_week_avg_duration. Time is automatically added by the timechart.

lguinn2 · ‎06-12-2014

You can't have that many variables on a timechart - you only have 3 to work with:

X axis - time
Y axis - duration (in seconds, I suppose)
multiple lines based on a third variable - which one?

_gkollias · ‎06-12-2014

Sorry for the confusion. So what I am doing here is calculating duration of orders from today that are greater than the avg duration of orders from last week. So I am trying to add 'duration' and 'prev_week_avg_duration' to a line graph via timechart. Please let me know if that helps. Thank you

lguinn2 · ‎06-12-2014

I tried to figure out an answer to this, but I got very confused about what you actually want to see on the timechart.

Adding Outputs of a Search to Timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation