Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to overlay an average as a line over a timeseries

Splunkster45
Communicator
‎10-10-2016 02:31 PM

I've looked around for an answer. Indeed, I modeled my answer after the following question:
https://answers.splunk.com/answers/225230/how-to-display-the-average-of-the-week-as-a-straig.html?ut...

I didn't get it to work, so I will ask my questions.

I have a search that gives me a timeseries of an event and a search that gives me an average. I can use an appendcols item to join the two, however, when I look at the graph, the timeseries shows up, but the average is a single dot for one timestamped value. I'd like the average to be a line across the chart.

Here's the command I'm running:

<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | sort by ODATE, StartTime | appendcols [ search <query> | stats AVG(COUNT_ONE) as new by MODEL]

alt text

As you can see, the last column only has one value for the average. If I can repeat this value on each row, I'll get what I want in my graph.

Thoughts?

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-10-2016 02:34 PM

You don't need the appendcols. Try this

<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | eventstats AVG(COUNT_ONE) as new by MODEL | sort by ODATE, StartTime

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-10-2016 02:34 PM

You don't need the appendcols. Try this

<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | eventstats AVG(COUNT_ONE) as new by MODEL | sort by ODATE, StartTime
Reply
Solved! Jump to solution

Splunkster45
Communicator
‎10-11-2016 07:08 AM

By putting the eventstats option first and the stats optino second, I was able to get it.

<query>| eventstats AVG(COUNT_ONE) as new by MODEL | stats SUM(COUNT_ONE), avg(new) by StartTime, ODATE, MODEL
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...