Solved: Can't get Trendline working - values always blank

leatherface · ‎09-18-2014

I'm trying to overlay a trendline over an area graph showing count of records by month. I have a simple search

index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma5(count) as trend | fields * trend

But the trend column is always empty. What am I doing wrong? I've tried various tricks like wrapping the trendline function around another function (e.g. sma5(max(the_count))), and using timechart but no luck.

Thanks in advance.

wpreston · ‎09-18-2014

You're using sma5 as your trending function, which tells Splunk to calculate the trend over 5 periods, however your stats command only produces 3 periods, so the trendline command cannot produce anything. You can see this if you change your search to use sma2():

index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma2(count) as trend | fields * trend

View solution in original post

wpreston · ‎09-18-2014

You're using sma5 as your trending function, which tells Splunk to calculate the trend over 5 periods, however your stats command only produces 3 periods, so the trendline command cannot produce anything. You can see this if you change your search to use sma2():

index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma2(count) as trend | fields * trend

leatherface · ‎09-19-2014

Perfect. I'd assumed sma5 was just the name of the algorithm used for the calculation and that the 5 had no special meaning. Ironically, the real search looks back 12 months, but I'd shortened it to 3 while I tried to get the trendline working. Thanks so much for the help!

Can't get Trendline working - values always blank

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?