Splunk Search

Timechart a dataset of weekly averages

aohls
Contributor

I have a dataset with some data points from a report I made; week end date(MM/DD/YYYY), host, user action, and average response time are the data-points. We have a large dataset so the run time is pretty long and we wanted to get rid of some noise and get a smoother line; really only looking for long term trends also. The idea was to average it out weekly into a data-set then graph the dataset. I am having some trouble getting the timechart to work with only using dataset data. Has anyone run into something like this? Run time is important as it will be housed in a dynamic dashboard with some selections.

In short can I timechart from only the dataset with weekly averages? Is there a better way to do this?

  | lookup systemOverview.csv hostName as hostName OUTPUT _time as OVTime, component as component, WeekAvg as WeekAvg, Name AS Name
  | timechart values(WeekAvg) by hostName 
0 Karma
1 Solution

aohls
Contributor

I was able to get the output I needed. Over thinking this but the following worked.

| inputlookup "systemVitals.csv"

I could then use the data I needed.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

|inputlookup systemOverview.csv
| sort 0 - _time
| timechart avg(WeekAvg) BY hostName 
0 Karma

aohls
Contributor

I was able to get the output I needed. Over thinking this but the following worked.

| inputlookup "systemVitals.csv"

I could then use the data I needed.

0 Karma

nyc_jason
Splunk Employee
Splunk Employee

hello aohls, can you post your SPL? are you specifying 'span=1w' in your timechart?

0 Karma

aohls
Contributor

@jschogel I have added my search I am attempting, not the original search into the dataset. I did not specify the span in my timechart I was trying. I will give that a shot.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...