Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create Timechart from multisearch

andres91302
Communicator
‎04-19-2021 07:09 AM

Hello everyone!

I'm trying to create a time chart of a variable that I have to compute as a global percentage between two searches, but after reading the documentation in splunk I cant seem to find a way to do it right.

My orginal code looks like this:

| multisearch
[| search index="portalA"
| search py="X_O1"]
[| search index="portalA"
| search px="X_O3"]
| stats c(py) as START, c(px) as END
| eval P=round(100*END/START,1)
| fields P 

now that I have calculated P (as the percestage) I would like to have this plot as a time chart that shows P for the last 10 days... 

so I was including 
| timechart count by R limit=10 span=1d at the end of my code, I will truly appreciate if someone can kindly help me thank you SO MUCH

Labels (1)
Labels
0 Karma
Reply

andres91302
Communicator
‎04-19-2021 12:07 PM

Hello! Thank you for reaching out to  me... Thank you for pointing out a misspelled I had in my question... I just tried to add the code:

| timechart count by P span="1d"
at the begining I got nothng so I changed the command "stats" for  "streamstats" after that  got a weird result, I'd like to kindly explain that what I am trying to do is visualize a timechart with only the value of P for the last 10 days, to see if the current value of P now is below or above those of the 10 past days, but instead I have a table with numbers above 100 (which should not happen) ... I dont know if the best thing to do would be to calculate the last 10 days manualy.. thank you for any recomendation you can give me

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 05:36 PM

To see how the value of a single field changes over time, omit the 'by' clause.

... | timechart span=1d max(P) as P
---
If this reply helps you, Karma would be appreciated.
Reply

andres91302
Communicator
‎04-19-2021 06:49 PM

@richgalloway  thank you so much  I tried 

... | timechart span=1d max(P) as P

 and It gave me a max value for P thats over a 100 which for my data is imposible... 😞 I dont know if this is because the coude that I am using or because the command streamstats, but If I go to my dashboard and calculate the value dor P for "!yesterday" it always gives me a number below  100... I will be reading more about the documentation of streams stats THANK YOU FO MUCH FOR YOUR HELP @richgalloway it means the wrld to me you have no idea thank yu so much

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 07:18 AM

The timechart command requires the _time field, but fields P removed it.  Try fields _time P and then add your timechart command (using "count P" rather than "count R").

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top