Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to overlay an average as a line over a timeseries

Splunkster45
Communicator
‎10-10-2016 02:31 PM

I've looked around for an answer. Indeed, I modeled my answer after the following question:
https://answers.splunk.com/answers/225230/how-to-display-the-average-of-the-week-as-a-straig.html?ut...

I didn't get it to work, so I will ask my questions.

I have a search that gives me a timeseries of an event and a search that gives me an average. I can use an appendcols item to join the two, however, when I look at the graph, the timeseries shows up, but the average is a single dot for one timestamped value. I'd like the average to be a line across the chart.

Here's the command I'm running:

<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | sort by ODATE, StartTime | appendcols [ search <query> | stats AVG(COUNT_ONE) as new by MODEL]

alt text

As you can see, the last column only has one value for the average. If I can repeat this value on each row, I'll get what I want in my graph.

Thoughts?

Preview file
17 KB
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-10-2016 02:34 PM

You don't need the appendcols. Try this

<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | eventstats AVG(COUNT_ONE) as new by MODEL | sort by ODATE, StartTime

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-10-2016 02:34 PM

You don't need the appendcols. Try this

<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | eventstats AVG(COUNT_ONE) as new by MODEL | sort by ODATE, StartTime
Reply
Solved! Jump to solution

Splunkster45
Communicator
‎10-11-2016 07:08 AM

By putting the eventstats option first and the stats optino second, I was able to get it.

<query>| eventstats AVG(COUNT_ONE) as new by MODEL | stats SUM(COUNT_ONE), avg(new) by StartTime, ODATE, MODEL
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...