Splunk Search

Timechart a dataset of weekly averages

aohls
Contributor

I have a dataset with some data points from a report I made; week end date(MM/DD/YYYY), host, user action, and average response time are the data-points. We have a large dataset so the run time is pretty long and we wanted to get rid of some noise and get a smoother line; really only looking for long term trends also. The idea was to average it out weekly into a data-set then graph the dataset. I am having some trouble getting the timechart to work with only using dataset data. Has anyone run into something like this? Run time is important as it will be housed in a dynamic dashboard with some selections.

In short can I timechart from only the dataset with weekly averages? Is there a better way to do this?

  | lookup systemOverview.csv hostName as hostName OUTPUT _time as OVTime, component as component, WeekAvg as WeekAvg, Name AS Name
  | timechart values(WeekAvg) by hostName 
0 Karma
1 Solution

aohls
Contributor

I was able to get the output I needed. Over thinking this but the following worked.

| inputlookup "systemVitals.csv"

I could then use the data I needed.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

|inputlookup systemOverview.csv
| sort 0 - _time
| timechart avg(WeekAvg) BY hostName 
0 Karma

aohls
Contributor

I was able to get the output I needed. Over thinking this but the following worked.

| inputlookup "systemVitals.csv"

I could then use the data I needed.

0 Karma

nyc_jason
Splunk Employee
Splunk Employee

hello aohls, can you post your SPL? are you specifying 'span=1w' in your timechart?

0 Karma

aohls
Contributor

@jschogel I have added my search I am attempting, not the original search into the dataset. I did not specify the span in my timechart I was trying. I will give that a shot.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...