Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk timechart with average line

klischatb
Path Finder
‎06-16-2022 11:10 PM

Hello everyone!

I want to combine two searches or find another solution. 🙂

Here my problem:
I need a timechart where i can show the occurences of some ID´s (example for an ID: 345FsdEE344FED- 354235werfDF2) and put an average line over it.

Graph Idea:
Orange: Timechart with a distinct count for the ID´s
Green: Stats with average for the count of the ID´s

klischatb_0-1655445769136.png

 

 

 

index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time

 

 

For the timeframe i want to be flexibel but for the span 15 minutes are ok.

Thank you all a lot and have a nice day.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 12:52 AM 
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 12:52 AM 
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc
Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-17-2022 02:16 AM

This works!

Thank you very much.

@ITWhisperer 

and thank you too. @gcusello 

Have a nice day.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2022 11:26 PM

Hi @klischatb,

you can use the join command as used in the License Consuption report, or append, like the following example that I tried on my environemtn and runs:

index=_internal 
| bin span=10m _time
| stats max(linecount) AS linecount BY _time
| append [ search 
   index=_internal 
   | bin span=10m _time
   | stats avg(linecount) AS average BY _time 
   ]
| stats values(linecount) AS linecount values(average) AS average BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-16-2022 11:52 PM

Unfortunately, this does not work, but thank you very much for this information.
The IDs are not numeric fields, so the max command will not work.
I had thought about eventstats, but I couldn't find a solution with testing.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-17-2022 12:25 AM

Hi @klischatb,

you could try to make the avg of dc(TEST_ID), something like this:

index=your_index
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid BY _time
| append [ search 
   index=your_index
   | bin span=1m _time
   | stats avg(dc(TEST_ID)) as avg_of_dc_testid BY _time 
   ]
| stats values(count_of_testid) AS count_of_testid values(avg_of_dc_testid) AS avg_of_dc_testid BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-16-2022 11:12 PM

I tried to adapt this solutions but for my ID´s i didnt found the right way to do it.
https://community.splunk.com/t5/Splunk-Search/How-to-overlay-a-straight-line-showing-the-average-tim...

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...