Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a timechart with multiple values?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
05-15-2018
09:46 AM
Hello!
I'm trying to make a timechart like this one below, but I have some hosts that I need to show their medium cpu usage per hour (0am - 11 pm. I'm getting one-month data and trying to show their average per hour, but I only can put the average of all hosts, but I need the average for each one.
My search until now:
earliest=04/01/2018:00:00:00 latest=04/30/2018:23:59:00 index="summary" instance="cpu.usage.average" source=Summary_VMhost
| rename media as Value
| table *
| where VMhost="" OR like(VMhost,"hostname00020.somecorp.net") OR like(VMhost,"hostname00021.somecorp.net") OR like(VMhost,"hostname052073.somecorp.net") OR like(VMhost,"hostname052074.somecorp.net") OR like(VMhost,"hostname052075.somecorp.net") OR like(VMhost,"hostname052076.somecorp.net") OR like(VMhost,"hostname631.somecorp.net") OR like(VMhost,"hostname632.somecorp.net") OR like(VMhost,"hostname641.somecorp.net") OR like(VMhost,"hostname642.somecorp.net")
| eval date_hour=strftime(_time,"%H")
| eval Horario_critico=if((date_hour>=7 AND date_hour<11) OR (date_hour>=13 AND date_hour<17),100,null)
| stats avg(Value) max(Horario_critico) by date_hour
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-15-2018
10:35 AM
Instead of stats use chart to have date_hour on x-axis and split by VMhost
<YourCurrentSearch>
| chart avg(Value) by date_hour VMhost
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-15-2018
10:35 AM
Instead of stats use chart to have date_hour on x-axis and split by VMhost
<YourCurrentSearch>
| chart avg(Value) by date_hour VMhost
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
05-16-2018
03:12 AM
I didn't know that diference about both(stats and chart), thanks it works perfectly!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-16-2018
04:22 AM
@ppatrikfr glad it worked, I have converted my comment to answer. Please accept to mark this question as answered!
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
