How to timechart count as variance from moving ave...

robempire · ‎04-06-2022

This seems to me like it should be super simple (looker, tableau, etc) but I've been working at this for almost 2 days and I'm getting nowhere, I would be very appreciative if anyone could help.

I'm trying to get:

Chart the percentage difference between count of _time (ie. count of records) and a simple moving average of the last 5 days on the Y axis and time (spans) on the X, where response_code>200 by path

I'll paste an example of where I'm at, but I know I'm not even close. Can I get any tips please?

index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200
          | streamstats avg(count(_time)) as cTime window=5
          | table _time path cTime | timechart usenull=f span=8h avg(cTime) By path

mayurr98 · ‎04-06-2022

Not sure if this is what you are looking for ?

index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200 
| bin _time span=1d 
| stats count by path _time 
| streamstats window=5 sum(count) as total_count avg(count) as avgCount by path 
| fields _time path total_count avgCount

Say you run that search over the last 30 days, where each row is a unique day with path . And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per day, during that day and the 4 days preceding it.

How to timechart count as variance from moving average

chart

stats

table

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation