Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to rename a field for a timechart, and display a trendline based on a certain variable?

JoshuaJohn
Contributor
‎08-24-2016 09:35 AM

I am trying to get a line graph that displays response time by datacenter. I am having issues:
1) my chart is not renaming the field max(time) to Max_Resp
2) I cannot display trendline by my variable datacenter like I am doing for Max_resp

index="nitro_prod_email" "ET Request Took" earliest=-20m | rex ".*ET Request Took: (?.*?) ms" | eval datacenter=if(like(host,"%plg%"),"GT","MF") | timechart max(time) as Max_Resp by datacenter | eval Max_Resp = round(Max_Resp,2)  | trendline sma5(Max_Resp) as Max_Trend by datacenter

Any solutions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-24-2016 10:23 AM

timechart transforms your data into a table where each row is _time and column is one of the values of datacenter(GT or MF) field. There is no field called Max_Resp. Also, trendline does not accept the split by clause (by datacenter). So, your option are 

index="nitro_prod_email" "ET Request Took" earliest=-20m | rex ".*ET Request Took: (?<time>.*?) ms" | eval datacenter=if(like(host,"%plg%"),"GT","MF") | timechart max(time) as Max_Resp by datacenter | foreach * [eval <<FIELD>> = if(<<FIELD>>=_time, _time, round(<<FIELD>>,2))]  | foreach * [eval <<FIELD>> = if(<<FIELD>>=_time, _time, round(<<FIELD>>,2))] | addtotals | trendline sma5(Total) as sma_Total | fields - Total

*OR**

index="nitro_prod_email" "ET Request Took" earliest=-20m | rex ".*ET Request Took: (?<time>.*?) ms" | eval datacenter=if(like(host,"%plg%"),"GT","MF") | bin _time | stats max(time) as Max_Resp by _time datacenter | eval Max_Resp= round(Max_Resp,2) | trendline sma5(Max_Resp) as sma_Max_Resp

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-24-2016 10:23 AM

timechart transforms your data into a table where each row is _time and column is one of the values of datacenter(GT or MF) field. There is no field called Max_Resp. Also, trendline does not accept the split by clause (by datacenter). So, your option are 

index="nitro_prod_email" "ET Request Took" earliest=-20m | rex ".*ET Request Took: (?<time>.*?) ms" | eval datacenter=if(like(host,"%plg%"),"GT","MF") | timechart max(time) as Max_Resp by datacenter | foreach * [eval <<FIELD>> = if(<<FIELD>>=_time, _time, round(<<FIELD>>,2))]  | foreach * [eval <<FIELD>> = if(<<FIELD>>=_time, _time, round(<<FIELD>>,2))] | addtotals | trendline sma5(Total) as sma_Total | fields - Total

*OR**

index="nitro_prod_email" "ET Request Took" earliest=-20m | rex ".*ET Request Took: (?<time>.*?) ms" | eval datacenter=if(like(host,"%plg%"),"GT","MF") | bin _time | stats max(time) as Max_Resp by _time datacenter | eval Max_Resp= round(Max_Resp,2) | trendline sma5(Max_Resp) as sma_Max_Resp
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-24-2016 11:13 AM

Hmm so there would be no way to separate the trendlines by datacenter? I don't really need the total trendline. I will try appending with something along the lines of host =gt all of the lines, then host = mf and all of the lines?

0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-24-2016 12:06 PM

So I wrote this: 

index="nitro_prod_email" host="plg*" "ET Request Took" | rex ".*ET Request Took: (?<time>.*?) ms" | timechart max(time) as Max_gt_Resp| eval Max_gt_Resp= round(Max_gt_Resp,2) | trendline sma5(Max_gt_Resp) as Max_gt_Trend | append [ search index="nitro_prod_email" host="plm*" "ET Request Took" | rex ".*ET Request Took: (?<time>.*?) ms" | timechart max(time) as Max_mf_Resp| eval Max_mf_Resp= round(Max_mf_Resp,2) | trendline sma5(Max_mf_Resp) as Max_mf_Trend ]

This gives me exactly what I wanted but it separates the two into two different graphs, I want them to overlay on top of each other. Any solutions?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-24-2016 12:13 PM

Not sure I understand, but I think you mean overlay the sma values over the max values. In the format options for chart, there is a Chart Overlay, you can use that to pick the sma fields as overlay values.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Viz/Chartcontrols#Chart_overlay_example_.28dual_ax...

0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-24-2016 12:32 PM

Didn't really work as I needed it to, but what I have is actually better than what my original goal was so I am happy. Thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...