Splunk Search

Create Timechart from multisearch

andres91302
Communicator

Hello everyone!

I'm trying to create a time chart of a variable that I have to compute as a global percentage between two searches, but after reading the documentation in splunk I cant seem to find a way to do it right.

My orginal code looks like this:

| multisearch
[| search index="portalA"
| search py="X_O1"]
[| search index="portalA"
| search px="X_O3"]
| stats c(py) as START, c(px) as END
| eval P=round(100*END/START,1)
| fields P 

now that I have calculated P (as the percestage) I would like to have this plot as a time chart that shows P for the last 10 days... 

so I was including 
| timechart count by R limit=10 span=1d at the end of my code, I will truly appreciate if someone can kindly help me thank you SO MUCH

Labels (1)
0 Karma

andres91302
Communicator

Hello! Thank you for reaching out to  me... Thank you for pointing out a misspelled I had in my question... I just tried to add the code:

| timechart count by P span="1d"
at the begining I got nothng so I changed the command "stats" for  "streamstats" after that  got a weird result, I'd like to kindly explain that what I am trying to do is visualize a timechart with only the value of P for the last 10 days, to see if the current value of P now is below or above those of the 10 past days, but instead I have a table with numbers above 100 (which should not happen) ... I dont know if the best thing to do would be to calculate the last 10 days manualy.. thank you for any recomendation you can give me

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To see how the value of a single field changes over time, omit the 'by' clause.

... | timechart span=1d max(P) as P
---
If this reply helps you, Karma would be appreciated.

andres91302
Communicator

@richgalloway  thank you so much  I tried 

... | timechart span=1d max(P) as P

 and It gave me a max value for P thats over a 100 which for my data is imposible... 😞 I dont know if this is because the coude that I am using or because the command streamstats, but If I go to my dashboard and calculate the value dor P for "!yesterday" it always gives me a number below  100... I will be reading more about the documentation of streams stats THANK YOU FO MUCH FOR YOUR HELP @richgalloway it means the wrld to me you have no idea thank yu so much

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command requires the _time field, but fields P removed it.  Try fields _time P and then add your timechart command (using "count P" rather than "count R").

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...