Re: Timechart minimum values

dbcase · ‎02-15-2018

Hi,

I have this data this is retrieved once per hour (more or less on the hour) for the past 7 days.

readyArmed,32335,2018-02-15 12:01:38.646138 -5:00
armed,4743,2018-02-15 12:01:38.646138 -5:00

The first field is the armed state and the second field is the number of customers in that state at that time, the third field is the timestamp.

I've created a simple timechart graph showing the pattern and it looks like this. What I'd like to do is create a similar timechart graph that shows the minimum, maximum and averages of the same data over time.

cmerriman · ‎02-15-2018

index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum|eventstats max(sum) as max min(sum) as min avg(sum) as avg

based on previous comments, is something like this what you're needing?

dbcase · ‎02-15-2018

Hi cmerriman,

Interesting idea doing the post processing with eventstats. I gave it a shot and here is what happened

Time period X

Sum Value=37604 (this is good)
Avg Value=41271 (looks good)
Max Value=60718 (looks good)
Min Value=25947 (looks good)

Here is where the trouble shows up

Time period Y

Sum Value=37418 (this is good)
Avg Value=41271 (identical to time period X - possible but very unlikely)
Max Value=60718 (identical to time period X - possible but very unlikely)
Min Value=25947 (identical to time period X - possible but very unlikely)

Time period Z

Sum Value=36751 (this is good)
Avg Value=41271 (identical to time period X & Y - possible but extremely unlikely)
Max Value=60718 (identical to time period X & Y - possible but extremely unlikely)
Min Value=25947 (identical to time period X & Y - possible but extremely unlikely)

cmerriman · ‎02-15-2018

can you give a sample output of what the data should look like? I thought you meant the overall max/min/avg of sum when you stated you needed to represent the avg of the sum, min of the sum, and max of the sum. i suppose you could use streamstats instead of eventstats, and that would be a moving min/max/avg.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

micahkemp · ‎02-15-2018

If you just want the min/max/avg over the same period that your sum is over, this should work:

earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum, avg(field2) AS avg, min(field2) AS min, max(field2) AS max

dbcase · ‎02-15-2018

Hi Michahkemp,

Thanks! its close but not quite and I wasn't clear so lemme try again.

I would like the sum of field 2 min, max and avg not just field2

cmerriman · ‎02-15-2018

are you wanting it by state? or are there other fields that you want min, max, avg of?

dbcase · ‎02-15-2018

State can be armed or readyArmed, for this report they are essentially the same thing which is why I am summing the two values into one.

dbcase · ‎02-15-2018

Once summed I need to represent the sum, the avg of the sum, the minimum of the sum, and the maximum of the sum

dbcase · ‎02-15-2018

There are no other values in the data (I tried to keep in simple)

dbcase · ‎02-15-2018

Oh sorry, should have included my query

earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as ar

Timechart minimum values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation