Splunk Search

TimeChart from 2 datasource.


I have 2 data source say DS1 and DS2.
There is a common field called EMPID for this two data source.
I want to generate a report based on below conditions.
Want to get the time chart with average for all EMPID’s on Y axis and _time on X axis.
average in my case is calculated based on below conditions.
Average=sum(field1) from DS1( dataource1)/sum(field2)from DS2(dataource2).
I tried and generated up to below. But I don’t know how to get the desired result from this,
Can anybody help me pls.

host= DS1 |join EMPID [search host= DS2| eval " EMPID "=employer_id]| stats sum(field1) as TotalVisit, count(field2) as Count |eval Average=TotalVisit/Count| table field TotalVisit,Count,Average

0 Karma

Ultra Champion

At the moment your search does not really deal with the _time element. And it also has a join, which seems a bit unecessary.

Have you considered making a timechart without the join?

your search for events | timechart span=1h sum(field1) as sum_1 sum(field_2) as sum_2 | eval ratio = sum_1/sum_2 | fields + ratio, _time

Then select the "visualization" tab in the search results.



The purpose of join is to get the group of employee id's.
for consider empid=10 present in both data source.
In DS1 sum(field1) will be 20 and in DS2 sum(field2) is 10.
I want to get the average for empid 10.
Likewise I want to get the result for all employee Ids present in both DataSourcec in a single search.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!