Splunk Search

How to use timechart to get two different timechart averages, then get a sum of those two values in each time span?

New Member

I am using the search below to get two different averages from two different indexes:

index=a| bucket _time span=4h | stats avg(session_count) as X by _time
| append [search index=b| bucket _time span=4h | stats avg(session_count) as Y by _time] 

Now I want a time chart to sum X & Y in each of the 4 hour time frames
Can you please see the search I wrote and suggest how to get this result?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

(index=a OR index=b)|timechart span=4h usenull=f avg(session_count) by index|eval sum=a+b

View solution in original post

SplunkTrust
SplunkTrust

Try this

(index=a OR index=b)|timechart span=4h usenull=f avg(session_count) by index|eval sum=a+b

View solution in original post

New Member

yes, it's working just need to use the fields - a, b to only show the sum. Great! Thanks.

0 Karma