Re: How to plot differences of values over time?

henry_chiang · ‎04-03-2023

hi all

I have a data set like this:

_time, duration, category

XXX, 0.145,A

XXY, 0.177,B

XXZ, 0.178, A

XXX, XXY,XXZ are _time

i plot a graph like timechart avg(duration) by category and it shows two lines perfectly

but I want to plot a graph over time of the differences between the two averages (two categories). How to do that?

woodcock · ‎04-12-2023

yuanliu · ‎04-04-2023

If you examine the stats table after timechart commands, you will see two columns A and B. Treat them the same as field names so you can calculate the difference. For example,

| timechart avg(duration) by category
| eval diff = A - B
| fields diff

Hope this helps.

henry_chiang · ‎04-04-2023

Thanks it works fine!

but what if I did

timechart avg(duration),p95(duration) by category

then how do I properly rename the fields to do the calculation between the averages and the p95s?

bowesmana · ‎04-04-2023

When you use timechart with split by, the columns are named with the aggregation + the split, so use this technique

| timechart span=15m avg(duration) as avg p95(duration) as p95 by category
| foreach avg* [ eval "diff<<MATCHSTR>>"='p95<<MATCHSTR>>'-'<<FIELD>>' ]

By using 'as avg' and 'as p95' means you have consistent naming and you can then use the foreach, which will iterate all the avg: category fields and use the foreach tokens <<MATCHSTR>> and <<FIELD>> to reference the other fields.

So this will create fields diff: category which is the p95 - the avg. Note the use of SINGLE quotes on the right hand side and double quotes on the left!

How to plot differences of values over time?

eval

timechart

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?