Splunk Search

Maniupulating _time to remove 0 values from line chart

ericwindmill
Observer

I have a line chart in which I'm trying to monitor response time for a certain network call. I want to see the average response time, over time, by platform in a line chart.

Input data looks something like this:

network call #response time (ms)platform

1

200web
2250android
3300web
 140ios

 

and my current query looks like this:

 

index=myindex
| search mysearch
| spath response_time 
| spath input=request_payload output=platform path=client_properties.platform
| streamstats avg(response_time) as platform_response_time by platform time_window=10m
| chart first(platform_response_time) over _time by platform

 

 

This is getting my pretty close, but theres something about it that isn't "right" :

Screen Shot 2020-12-08 at 10.21.53 AM.png

What can I do to make the line's... better? I don't even know how to phrase this, but there shouldn't be 0 values. The lines shouldn't be jumping up and backdown to 0 at every tick. They should be more "straight". The problem, I think, is that I'm creating a point for each interval of time, and there isn't a request for every platform at every interval. 

Is there a way to group time intervals together in a longer period of time? i.e. there will only be a plot point for the average repsonse time each 5 minute interval? If there are truly 0 requests in 5m from a platform, that should be reflected, but it isn't likely and wouldn't happen so often.

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the timechart command and adjust the span until the zeros disappear.

index=myindex
| search mysearch
| spath response_time 
| spath input=request_payload output=platform path=client_properties.platform
| streamstats avg(response_time) as platform_response_time by platform time_window=10m
| timechart span=10m first(platform_response_time) by platform
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...