Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk timechart with average line

klischatb
Path Finder
‎06-16-2022 11:10 PM

Hello everyone!

I want to combine two searches or find another solution. 🙂

Here my problem:
I need a timechart where i can show the occurences of some ID´s (example for an ID: 345FsdEE344FED- 354235werfDF2) and put an average line over it.

Graph Idea:
Orange: Timechart with a distinct count for the ID´s
Green: Stats with average for the count of the ID´s

klischatb_0-1655445769136.png

 

 

 

index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time

 

 

For the timeframe i want to be flexibel but for the span 15 minutes are ok.

Thank you all a lot and have a nice day.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 12:52 AM 
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 12:52 AM 
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc
Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-17-2022 02:16 AM

This works!

Thank you very much.

@ITWhisperer 

and thank you too. @gcusello 

Have a nice day.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2022 11:26 PM

Hi @klischatb,

you can use the join command as used in the License Consuption report, or append, like the following example that I tried on my environemtn and runs:

index=_internal 
| bin span=10m _time
| stats max(linecount) AS linecount BY _time
| append [ search 
   index=_internal 
   | bin span=10m _time
   | stats avg(linecount) AS average BY _time 
   ]
| stats values(linecount) AS linecount values(average) AS average BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-16-2022 11:52 PM

Unfortunately, this does not work, but thank you very much for this information.
The IDs are not numeric fields, so the max command will not work.
I had thought about eventstats, but I couldn't find a solution with testing.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-17-2022 12:25 AM

Hi @klischatb,

you could try to make the avg of dc(TEST_ID), something like this:

index=your_index
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid BY _time
| append [ search 
   index=your_index
   | bin span=1m _time
   | stats avg(dc(TEST_ID)) as avg_of_dc_testid BY _time 
   ]
| stats values(count_of_testid) AS count_of_testid values(avg_of_dc_testid) AS avg_of_dc_testid BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-16-2022 11:12 PM

I tried to adapt this solutions but for my ID´s i didnt found the right way to do it.
https://community.splunk.com/t5/Splunk-Search/How-to-overlay-a-straight-line-showing-the-average-tim...

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...