Splunk Search

Can't get Trendline working - values always blank

leatherface
Explorer

I'm trying to overlay a trendline over an area graph showing count of records by month. I have a simple search

index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma5(count) as trend | fields * trend

But the trend column is always empty. What am I doing wrong? I've tried various tricks like wrapping the trendline function around another function (e.g. sma5(max(the_count))), and using timechart but no luck.

Thanks in advance.

Tags (2)
0 Karma
1 Solution

wpreston
Motivator

You're using sma5 as your trending function, which tells Splunk to calculate the trend over 5 periods, however your stats command only produces 3 periods, so the trendline command cannot produce anything. You can see this if you change your search to use sma2():

index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma2(count) as trend | fields * trend

View solution in original post

wpreston
Motivator

You're using sma5 as your trending function, which tells Splunk to calculate the trend over 5 periods, however your stats command only produces 3 periods, so the trendline command cannot produce anything. You can see this if you change your search to use sma2():

index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma2(count) as trend | fields * trend

leatherface
Explorer

Perfect. I'd assumed sma5 was just the name of the algorithm used for the calculation and that the 5 had no special meaning. Ironically, the real search looks back 12 months, but I'd shortened it to 3 while I tried to get the trendline working. Thanks so much for the help!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...