How to plot a timechart from a stats search output...

MayankSplunk · ‎11-25-2014

After doing transaction, removing unique row and finally applying

| stats list(score) as score, list(Id) as Id by Type

gave me following result, can someone tell me a way to plot this as timechart span=1m avg(Score) by Type this command doesn't plot any data

Type          Score
A               123
                786
                 45

B                34
                 95

somesoni2 · ‎11-25-2014

Try this
If you want avg of all values of score for a Type, including duplicates (two entries with same score and Type)

your base search ..before your stats | timechart span=1m avg(score) by Type

OR
If you want avg of only unique values of score for a Type, excludingduplicates

your base search ..before your stats | bucket span=1m _time | stats count by score, type, _time | timechart span=1m avg(score) by Type

MayankSplunk · ‎11-25-2014

Hi MuS,

Sorry that din't work.

MuS · ‎11-25-2014

You must make sure to have a _time field available after the stats or the timechart will fail, do as I said or do as @somesoni2 said 😉

MuS · ‎11-25-2014

Hi MayankSplunk,

after the stats you don't have _time available for timechart, so do something like this:

| stats list(score) as score, list(Id) as Id by Type, _time | timechart ....

cheers, MuS

How to plot a timechart from a stats search output with span=1m?