- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to plot differences of values over time?
hi all
I have a data set like this:
_time, duration, category
XXX, 0.145,A
XXY, 0.177,B
XXZ, 0.178, A
XXX, XXY,XXZ are _time
i plot a graph like timechart avg(duration) by category and it shows two lines perfectly
but I want to plot a graph over time of the differences between the two averages (two categories). How to do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add this:
| eval diff = B-A
| fields - A B
Like this:
index="_internal" AND source="*metrics.log" AND kb
| eval category=ev%2
| eval category = if(category==0, "A", "B")
| timechart avg(kb) BY category
| eval diff = B-A
| fields - A B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you examine the stats table after timechart commands, you will see two columns A and B. Treat them the same as field names so you can calculate the difference. For example,
| timechart avg(duration) by category
| eval diff = A - B
| fields diffHope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it works fine!
but what if I did
timechart avg(duration),p95(duration) by categorythen how do I properly rename the fields to do the calculation between the averages and the p95s?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use timechart with split by, the columns are named with the aggregation + the split, so use this technique
| timechart span=15m avg(duration) as avg p95(duration) as p95 by category
| foreach avg* [ eval "diff<<MATCHSTR>>"='p95<<MATCHSTR>>'-'<<FIELD>>' ]By using 'as avg' and 'as p95' means you have consistent naming and you can then use the foreach, which will iterate all the avg: category fields and use the foreach tokens <<MATCHSTR>> and <<FIELD>> to reference the other fields.
So this will create fields diff: category which is the p95 - the avg. Note the use of SINGLE quotes on the right hand side and double quotes on the left!
