Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can't get Trendline working - values always blank
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to overlay a trendline over an area graph showing count of records by month. I have a simple search
index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma5(count) as trend | fields * trend
But the trend column is always empty. What am I doing wrong? I've tried various tricks like wrapping the trendline function around another function (e.g. sma5(max(the_count))), and using timechart but no luck.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're using sma5 as your trending function, which tells Splunk to calculate the trend over 5 periods, however your stats command only produces 3 periods, so the trendline command cannot produce anything. You can see this if you change your search to use sma2():
index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma2(count) as trend | fields * trend
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're using sma5 as your trending function, which tells Splunk to calculate the trend over 5 periods, however your stats command only produces 3 periods, so the trendline command cannot produce anything. You can see this if you change your search to use sma2():
index="bar" earliest=-3month@month latest=@month | stats count by date_month | trendline sma2(count) as trend | fields * trend
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. I'd assumed sma5 was just the name of the algorithm used for the calculation and that the 5 had no special meaning. Ironically, the real search looks back 12 months, but I'd shortened it to 3 while I tried to get the trendline working. Thanks so much for the help!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
