Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Convert to Timechart

SplunkBaby
Explorer
‎02-18-2014 02:20 AM

My search string is
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count|eval Average=total /Count|table field total ,Count,Average

Actually I want to produce a timechart report and _time on X axis and Average on Y axis.
Can anybody help me to convert the above search to timechart format.

0 Karma
Reply

somesoni2
Revered Legend
‎02-18-2014 06:32 AM

Try this

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | bucket _time span=1d | stats sum(field) as total ,count(user) as Count by _time |eval Average=total/Count | timechart span=1d max(Average) as Average

Change the span value as per your need in bucket and timechart command (currently showing for 1 day).(both should match)

0 Karma
Reply

SplunkBaby
Explorer
‎02-18-2014 11:57 PM

when i run the below query
....| stats sum(Visits) as TotalVisit,count("USER_NAME") as Count|eval Average=TotalVisit/Count|table field TotalVisit,Count,Average
Output is 212 ,2, 106.
I need to convert this query to timechart base.
I convert the above query to your recommendation and i am not getting 4002 rows with _time but averge is not displayed.I use span=1m in both place.
Correct me if i am wrong.
basic purpose of my query is
1)calculate average(based on total and count) value on different time stamps.I would like to get the _time form host=B.
_time of 2 host are different.

0 Karma
Reply

emaccaferri
Communicator
‎02-18-2014 03:24 AM

You should change stats in eventstats, in this way you keep _time fild along the search. After that you can use timechart, you can also use math inline with it
timechart span=1h eval(total/Count) as Average.

Reply

Ayn
Legend
‎02-19-2014 12:25 AM

FWIW - I think you should learn about how timechart works instead of asking the community to give you ready-made solutions.

Reply

SplunkBaby
Explorer
‎02-18-2014 07:29 AM

Both of this solution's doesn't work

0 Karma
Reply

emaccaferri
Communicator
‎02-18-2014 06:22 AM

try
(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | eventstats sum(field)total ,count("user") as Count|eval Average=total /Count| timechart span=1h Average

or

(host=A AND "ER"=XXW) OR (host=B AND "EMPCODE"=ABC AND ) | timechart span=1h eval(sum(field)/count("user")) as Average

0 Karma
Reply

SplunkBaby
Explorer
‎02-18-2014 06:08 AM

I tried this and getting the error
Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

(host=A AND "ER"=ABC ) OR (host=B AND "EMPCODE"=ABC AND ) | stats sum(field)total ,count("user") as Count |timechart span=1h eval(TotalVisit/Count) by "ER Code"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...