Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display a chart with values and also a timechart below that?

chadman
Path Finder
‎06-25-2015 12:35 PM

I'm trying to show a chart and need to show the actual values. At the same time I would like to display a linear timeline at the bottom of the chart. Using this search, my chart looks good.

sourcetype="log_sort" host=myhost*  | chart values(idle) by _time

This works, but it does not display anything in the timechart at the bottom. I tried another search like this:

| timechart values(idle) as "Idle Time"

this shows the timechart at the bottom, but is trying to average my values. Many times my line will drop to 0 and I need to show that on the chart. Currently the avg might prevent this from happening. Any ideas?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2015 08:17 PM

I believe you are misunderstanding the values function and what you are really trying to do is something this:

 sourcetype="log_sort" host=myhost* | timechart span=5m avg(idle) as "Idle Time"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2015 08:17 PM

I believe you are misunderstanding the values function and what you are really trying to do is something this:

 sourcetype="log_sort" host=myhost* | timechart span=5m avg(idle) as "Idle Time"
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎06-26-2015 08:22 AM

Got it. When I used the values it just looked how I wanted it to. I think setting the span to a lower time would also help. My data is normally updated every min. My goal is to have the chart really indicate that it's 0 when that occurs and not an average. I think the span was being auto-scaled and that might be why my charts did not look right when I looked at data over a longer period of time.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-26-2015 08:49 AM

OK, then something more like this:

sourcetype="log_sort" host=myhost* | timechart span=1m max(idle) as "Idle Time"

This way the 0 values of Idle Time indicate the gaps.

0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎06-26-2015 10:50 AM

That works great!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...