Solved: How to get a timechart for two values, but not sor...

Skamensky · ‎07-06-2016

I'm trying to plot to two separate values against another value like this

timechart avg(x) avg(y) by z

And I want to limit the results to the top 5 values. The problem comes in when I use limit to achieve this. It will score z in alphabetical order (each field value z occurs the same amount of times as the rest). How can I get a timechart of these two values, limited to only the z values that have the greatest, x, y values?

sundareshr · ‎07-06-2016

Try this

... |  bin _time as time | stats avg(bytes) as x avg(spent) as y by time z | sort z x y | streamstats window=6 count by z x y | where count<6 | chart values(x) as x values(y) as y over time by z  | eval time=strftime(time, "%x %X")

View solution in original post

sundareshr · ‎07-06-2016

Try this

... |  bin _time as time | stats avg(bytes) as x avg(spent) as y by time z | sort z x y | streamstats window=6 count by z x y | where count<6 | chart values(x) as x values(y) as y over time by z  | eval time=strftime(time, "%x %X")

martin_mueller · ‎07-06-2016

Please give an example of what your desired result looks like and how that differs from timechart's default behaviour.

Skamensky · ‎07-06-2016

For instance let say foo and bar have the highest values of x. I want to create a timechart of values x and y by z and I want to display the ones with top value.

If I do Timechart x y by z limit=x it will instead return the z values that are first alphabetically and not ones that have highest x values.

How to get a timechart for two values, but not sort by the split-by field alphabetically?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!