Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create Timechart from multisearch

andres91302
Communicator
‎04-19-2021 07:09 AM

Hello everyone!

I'm trying to create a time chart of a variable that I have to compute as a global percentage between two searches, but after reading the documentation in splunk I cant seem to find a way to do it right.

My orginal code looks like this:

| multisearch
[| search index="portalA"
| search py="X_O1"]
[| search index="portalA"
| search px="X_O3"]
| stats c(py) as START, c(px) as END
| eval P=round(100*END/START,1)
| fields P 

now that I have calculated P (as the percestage) I would like to have this plot as a time chart that shows P for the last 10 days... 

so I was including 
| timechart count by R limit=10 span=1d at the end of my code, I will truly appreciate if someone can kindly help me thank you SO MUCH

Labels (1)
Labels
0 Karma
Reply

andres91302
Communicator
‎04-19-2021 12:07 PM

Hello! Thank you for reaching out to  me... Thank you for pointing out a misspelled I had in my question... I just tried to add the code:

| timechart count by P span="1d"
at the begining I got nothng so I changed the command "stats" for  "streamstats" after that  got a weird result, I'd like to kindly explain that what I am trying to do is visualize a timechart with only the value of P for the last 10 days, to see if the current value of P now is below or above those of the 10 past days, but instead I have a table with numbers above 100 (which should not happen) ... I dont know if the best thing to do would be to calculate the last 10 days manualy.. thank you for any recomendation you can give me

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 05:36 PM

To see how the value of a single field changes over time, omit the 'by' clause.

... | timechart span=1d max(P) as P
---
If this reply helps you, Karma would be appreciated.
Reply

andres91302
Communicator
‎04-19-2021 06:49 PM

@richgalloway  thank you so much  I tried 

... | timechart span=1d max(P) as P

 and It gave me a max value for P thats over a 100 which for my data is imposible... 😞 I dont know if this is because the coude that I am using or because the command streamstats, but If I go to my dashboard and calculate the value dor P for "!yesterday" it always gives me a number below  100... I will be reading more about the documentation of streams stats THANK YOU FO MUCH FOR YOUR HELP @richgalloway it means the wrld to me you have no idea thank yu so much

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 07:18 AM

The timechart command requires the _time field, but fields P removed it.  Try fields _time P and then add your timechart command (using "count P" rather than "count R").

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top