Splunk Search

Convert to Timechart

SplunkBaby
Explorer

My search string is
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count|eval Average=total /Count|table field total ,Count,Average

Actually I want to produce a timechart report and _time on X axis and Average on Y axis.
Can anybody help me to convert the above search to timechart format.

0 Karma

somesoni2
Revered Legend

Try this

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | bucket _time span=1d | stats sum(field) as total ,count(user) as Count by _time |eval Average=total/Count | timechart span=1d max(Average) as Average

Change the span value as per your need in bucket and timechart command (currently showing for 1 day).(both should match)

0 Karma

SplunkBaby
Explorer

when i run the below query
....| stats sum(Visits) as TotalVisit,count("USER_NAME") as Count|eval Average=TotalVisit/Count|table field TotalVisit,Count,Average
Output is 212 ,2, 106.
I need to convert this query to timechart base.
I convert the above query to your recommendation and i am not getting 4002 rows with _time but averge is not displayed.I use span=1m in both place.
Correct me if i am wrong.
basic purpose of my query is
1)calculate average(based on total and count) value on different time stamps.I would like to get the _time form host=B.
_time of 2 host are different.

0 Karma

emaccaferri
Communicator

You should change stats in eventstats, in this way you keep _time fild along the search. After that you can use timechart, you can also use math inline with it
timechart span=1h eval(total/Count) as Average.

Ayn
Legend

FWIW - I think you should learn about how timechart works instead of asking the community to give you ready-made solutions.

SplunkBaby
Explorer

Both of this solution's doesn't work

0 Karma

emaccaferri
Communicator

try
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | eventstats sum(field)total ,count("user") as Count|eval Average=total /Count| timechart span=1h Average

or

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | timechart span=1h eval(sum(field)/count("user")) as Average

0 Karma

SplunkBaby
Explorer

I tried this and getting the error
Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

(host=A AND "ER"=ABC ) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count |timechart span=1h eval(TotalVisit/Count) by "ER Code"

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...