Hi All,
I'd like to add duration and last weeks avg duration values in to timechart to help display time better, however I'm not getting accurate results with what I have. Here is the search without timechart:
index=contract_gateway sourcetype=esb_audit earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, earliest(_time) as _time, latest(_time) as end_time, latest(status) as status, by svc_context_id, bp_context_id
| eval duration=(end_time-_time)
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO
| stats avg(duration) as prev_week_avg_duration by svc_context_name]
| where duration>(2*prev_week_avg_duration)
| bucket span=10m _time | table _time, duration, prev_week_avg_duration | sort - _time
Increasing bucket span doesn't help either. I know there needs to be something like
...| timechart span=10m max(duration) as current_duration, min(duration) as prev_week_avg_duration,
but this isn't working.
Any suggestions would be greatly appreciated
Thanks!
This is as close as I can get with the information you have provided....
index=contract_gateway sourcetype=esb_audit earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, range(_time) as current_duration, earliest(_time) as timestamp, latest(status) as status, by svc_context_id, bp_context_id
| bucket timestamp span=10m
| stats avg(current_duration) as current_duration by timestamp svc_context_name
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO
| stats avg(duration) as prev_week_avg_duration by svc_context_name ]
| table svc_context_name timestamp current_duration prev_week_avg_duration
Sorry, I really appreciate the help, but this also doesn't work. The actual durations are off...there has to be a way! 🙂
There are only two variables, and that is the duration and prev_week_avg_duration. Time is automatically added by the timechart.
You can't have that many variables on a timechart - you only have 3 to work with:
X axis - time
Y axis - duration (in seconds, I suppose)
multiple lines based on a third variable - which one?
Sorry for the confusion. So what I am doing here is calculating duration of orders from today that are greater than the avg duration of orders from last week. So I am trying to add 'duration' and 'prev_week_avg_duration' to a line graph via timechart. Please let me know if that helps. Thank you
I tried to figure out an answer to this, but I got very confused about what you actually want to see on the timechart.