Splunk Search

Splunk timechart with average line

klischatb
Path Finder

Hello everyone!

I want to combine two searches or find another solution. 🙂

Here my problem:
I need a timechart where i can show the occurences of some ID´s (example for an ID: 345FsdEE344FED- 354235werfDF2) and put an average line over it.

Graph Idea:
Orange: Timechart with a distinct count for the ID´s
Green: Stats with average for the count of the ID´s

klischatb_0-1655445769136.png

 

 

 

index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time

 

 

For the timeframe i want to be flexibel but for the span 15 minutes are ok.

Thank you all a lot and have a nice day.

Labels (1)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc

klischatb
Path Finder

This works!

Thank you very much.

@ITWhisperer 

and thank you too. @gcusello 

Have a nice day.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klischatb,

you can use the join command as used in the License Consuption report, or append, like the following example that I tried on my environemtn and runs:

index=_internal 
| bin span=10m _time
| stats max(linecount) AS linecount BY _time
| append [ search 
   index=_internal 
   | bin span=10m _time
   | stats avg(linecount) AS average BY _time 
   ]
| stats values(linecount) AS linecount values(average) AS average BY _time

Ciao.

Giuseppe

klischatb
Path Finder

Unfortunately, this does not work, but thank you very much for this information.
The IDs are not numeric fields, so the max command will not work.
I had thought about eventstats, but I couldn't find a solution with testing.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klischatb,

you could try to make the avg of dc(TEST_ID), something like this:

index=your_index
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid BY _time
| append [ search 
   index=your_index
   | bin span=1m _time
   | stats avg(dc(TEST_ID)) as avg_of_dc_testid BY _time 
   ]
| stats values(count_of_testid) AS count_of_testid values(avg_of_dc_testid) AS avg_of_dc_testid BY _time

Ciao.

Giuseppe

klischatb
Path Finder

I tried to adapt this solutions but for my ID´s i didnt found the right way to do it.
https://community.splunk.com/t5/Splunk-Search/How-to-overlay-a-straight-line-showing-the-average-tim...

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...