So I have some data which looks similar to this:
time="timevalue", name="name", measurement="value"
And I have 7 different values for name (i.e., name1, name2, etc.)
How can I group the data together so that, on the same trendline (graphing averages), it has the groups
{name1, name2}
{name3, name4, name5, name6, name7}
And performs my calculations on those.
The search right now returns an average of all events:
base search
| timechart span=12h values(measurement) as Measurement
| streamstats window=180 AVG
| table _time AVG*
try this search anywhere:
i used numeric values for measurement
field and grouped with eval
by names
your timechart(values)
might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction
| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m
| eval _time = starttime
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement
the above generates fake data below is solution
| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups
hope it helps
try this search anywhere:
i used numeric values for measurement
field and grouped with eval
by names
your timechart(values)
might create multi value fields, which i think will not work very well withj streamstats
hope this sets you in the right direction
| gentimes start="05/16/201700:00:00" end="05/17/2018:00:00:00" increment=10m
| eval _time = starttime
| eval data = "name1;55,66,77,88|name2;55,66,77,88|name3;54,46,67,89|name4;53,36,73,38|name5;25,62,27,28|name6;51,16,71,18|name7;50,60,70,80"
| makemv delim="|" data
| mvexpand data
| rex field=data "(?<name>\w+)\;(?<measurement>\S+)"
| makemv delim="," measurement
| mvexpand measurement
| fields _time name measurement
the above generates fake data below is solution
| eval groups = if(name=="name1" OR name=="name2","group1","group2")
| timechart span=12h values(measurement) as Measurement by groups
hope it helps
Perfect. I've been working on it and did much the same thing. I'm rather new to Splunk and didn't know how Boolean operations were parsed, and I was trying to ram through
if(name=a OR b, " ", " ")
rather than
if(name=a OR name=b, ...)
Since the names are numeric, I was able to do
if(name<=name, ...)
But thanks for letting me know about that!
you bet! glad it helped 🙂
do you mean this:
base search
| timechart span=12h values(measurement) as Measurement by name
| streamstats window=180 AVG
| table _time AVG*
Yes, but instead of taking the averages by each individual name, I'd like to take the averages of (name1, name2) and (names 3-7) separately, while displaying them on the same chart.