Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to plot differences of values over time?

henry_chiang
New Member
‎04-03-2023 08:56 PM

hi all

I have a data set like this:

_time, duration, category

XXX, 0.145,A

XXY, 0.177,B

XXZ, 0.178, A

XXX, XXY,XXZ are _time

i plot a graph like timechart avg(duration) by category and it shows two lines perfectly

but I want to plot a graph over time of the differences between the two averages (two categories). How to do that?

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 10:25 AM

Just add this:
| eval diff = B-A
| fields - A B

Like this:
index="_internal" AND source="*metrics.log" AND kb
| eval category=ev%2
| eval category = if(category==0, "A", "B")
| timechart avg(kb) BY category
| eval diff = B-A
| fields - A B

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-04-2023 12:33 AM

If you examine the stats table after timechart commands, you will see two columns A and B.  Treat them the same as field names so you can calculate the difference.  For example,

| timechart avg(duration) by category
| eval diff = A - B
| fields diff

Hope this helps.

0 Karma
Reply

henry_chiang
New Member
‎04-04-2023 02:27 PM

Thanks it works fine!

but what if I did 

timechart avg(duration),p95(duration) by category

then how do I properly rename the fields to do the calculation between the averages and the p95s?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-04-2023 04:17 PM

When you use timechart with split by, the columns are named with the aggregation + the split, so use this technique

| timechart span=15m avg(duration) as avg p95(duration) as p95 by category
| foreach avg* [ eval "diff<<MATCHSTR>>"='p95<<MATCHSTR>>'-'<<FIELD>>' ]

By using 'as avg' and 'as p95' means you have consistent naming and you can then use the foreach, which will iterate all the avg: category fields and use the foreach tokens <<MATCHSTR>> and <<FIELD>> to reference the other fields.

So this will create fields diff: category which is the p95 - the avg. Note the use of SINGLE quotes on the right hand side and double quotes on the left!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...