Re: How to timechart count as variance from moving...

robempire · ‎04-06-2022

This seems to me like it should be super simple (looker, tableau, etc) but I've been working at this for almost 2 days and I'm getting nowhere, I would be very appreciative if anyone could help.

I'm trying to get:

Chart the percentage difference between count of _time (ie. count of records) and a simple moving average of the last 5 days on the Y axis and time (spans) on the X, where response_code>200 by path

I'll paste an example of where I'm at, but I know I'm not even close. Can I get any tips please?

index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200
          | streamstats avg(count(_time)) as cTime window=5
          | table _time path cTime | timechart usenull=f span=8h avg(cTime) By path

mayurr98 · ‎04-06-2022

Not sure if this is what you are looking for ?

index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200 
| bin _time span=1d 
| stats count by path _time 
| streamstats window=5 sum(count) as total_count avg(count) as avgCount by path 
| fields _time path total_count avgCount

Say you run that search over the last 30 days, where each row is a unique day with path . And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per day, during that day and the 4 days preceding it.

How to timechart count as variance from moving average

chart

stats

table

timechart

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?