I have data in the form like this:
21:00 Pos=A Strength=45
21:00 Pos=B Strength=60
21:00 Pos=C Strength=32
22:00 Pos=A Strength=44
22:00 Pos=B Strength=62
22:00 Pos=C Strength=33
I do graph them like this:
my search | timechart avg(Strength) by Pos
Now I would like to have one average line for the three Position.
But do not see how to do this when data is not at the same line.
I tried to use transaction _time , but did not give me what I like.
Add this to the end of your search:
| eval numCols=0
| foreach * [ eval numCols = numCols + 1]
| addtotals row=t col=f
| eval Total = Total / numCols
| fields - numCols
Add this to the end of your search:
| eval numCols=0
| foreach * [ eval numCols = numCols + 1]
| addtotals row=t col=f
| eval Total = Total / numCols
| fields - numCols
I will accept this, since it was close, but did have errors.
Doing math after the timechart command did not cross my mind, but it is the right/best way to do it.
But you need to move the addtotals up to right after the timehart. If not, it will also sum the number of rows inn to the data. So my solution becomes like this:
my search
| timechart avg(Strength) by Pos
| addtotals row=t col=f ! Give a new colum that contains the sum of all rows in a variable named Total
| eval numCols=-2 ! -2 to ignore Total and numCol Column
| foreach * [ eval numCols = numCols+1] ! Count all coloums and store it in numCols
| eval Total = Total / numCols ! Devide Total on numCols
| fields - numCols ! Remove the colum counter so it will not be grapehed
Initialize numCols to -2 to eliminate 1 step.
Updated my post to reflect that. Thanks.
...| timechart avg(Strength)
Or if you want all of this on one graph
...| eval PosA=if(Pos=="A",Strength,0) | eval PosB=if(Pos=="B",Strength,0) | eval PosC=if(Pos=="C",Strength,0) | timechart avg(PosA) avg(PosB) avg(PosC) avg(Strength)