- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Convert to Timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert to Timechart
My search string is
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count|eval Average=total /Count|table field total ,Count,Average
Actually I want to produce a timechart report and _time on X axis and Average on Y axis.
Can anybody help me to convert the above search to timechart format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | bucket _time span=1d | stats sum(field) as total ,count(user) as Count by _time |eval Average=total/Count | timechart span=1d max(Average) as Average
Change the span value as per your need in bucket and timechart command (currently showing for 1 day).(both should match)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when i run the below query
....| stats sum(Visits) as TotalVisit,count("USER_NAME") as Count|eval Average=TotalVisit/Count|table field TotalVisit,Count,Average
Output is 212 ,2, 106.
I need to convert this query to timechart base.
I convert the above query to your recommendation and i am not getting 4002 rows with _time but averge is not displayed.I use span=1m in both place.
Correct me if i am wrong.
basic purpose of my query is
1)calculate average(based on total and count) value on different time stamps.I would like to get the _time form host=B.
_time of 2 host are different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should change stats in eventstats, in this way you keep _time fild along the search. After that you can use timechart, you can also use math inline with it
timechart span=1h eval(total/Count) as Average.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW - I think you should learn about how timechart works instead of asking the community to give you ready-made solutions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both of this solution's doesn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | eventstats sum(field)total ,count("user") as Count|eval Average=total /Count| timechart span=1h Average
or
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | timechart span=1h eval(sum(field)/count("user")) as Average
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this and getting the error
Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form
(host=A AND "ER"=ABC ) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count |timechart span=1h eval(TotalVisit/Count) by "ER Code"
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
