Splunk Search

Convert to Timechart

SplunkBaby
Explorer

My search string is
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count|eval Average=total /Count|table field total ,Count,Average

Actually I want to produce a timechart report and _time on X axis and Average on Y axis.
Can anybody help me to convert the above search to timechart format.

0 Karma

somesoni2
Revered Legend

Try this

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | bucket _time span=1d | stats sum(field) as total ,count(user) as Count by _time |eval Average=total/Count | timechart span=1d max(Average) as Average

Change the span value as per your need in bucket and timechart command (currently showing for 1 day).(both should match)

0 Karma

SplunkBaby
Explorer

when i run the below query
....| stats sum(Visits) as TotalVisit,count("USER_NAME") as Count|eval Average=TotalVisit/Count|table field TotalVisit,Count,Average
Output is 212 ,2, 106.
I need to convert this query to timechart base.
I convert the above query to your recommendation and i am not getting 4002 rows with _time but averge is not displayed.I use span=1m in both place.
Correct me if i am wrong.
basic purpose of my query is
1)calculate average(based on total and count) value on different time stamps.I would like to get the _time form host=B.
_time of 2 host are different.

0 Karma

emaccaferri
Communicator

You should change stats in eventstats, in this way you keep _time fild along the search. After that you can use timechart, you can also use math inline with it
timechart span=1h eval(total/Count) as Average.

Ayn
Legend

FWIW - I think you should learn about how timechart works instead of asking the community to give you ready-made solutions.

SplunkBaby
Explorer

Both of this solution's doesn't work

0 Karma

emaccaferri
Communicator

try
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | eventstats sum(field)total ,count("user") as Count|eval Average=total /Count| timechart span=1h Average

or

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | timechart span=1h eval(sum(field)/count("user")) as Average

0 Karma

SplunkBaby
Explorer

I tried this and getting the error
Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

(host=A AND "ER"=ABC ) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count |timechart span=1h eval(TotalVisit/Count) by "ER Code"

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...