- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timechart with multiple fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart with multiple fields
Hi , I need to add one more field "row_num" in the same timechart
Search query is
index=abc | timechart span=1hr avg(response_time) by host
row_num contains 30 ,40,25,15,.....
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou all for the responses .Somesoni2 and woodcock , i am getting the timechart for both response_time and row_num but not as expected .
I am looking for is
when i hover into the chart , it gives
1)date and time
2)avg(response_time) with values .
can max(row_num) also included along with the other two when i hover ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With my answer (the "chartable" one), you will get TWO lines for each host: 1 line for the avg(response_time) and another for max(row_num). There is no way to stuff 2 separate values into a single line (see the "unchartable" commentary in my answer).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are going to use the visualization tab, you need to make sure that all of your "things" have a single numerical value. You can gather as many "things" as you like just by adding them in a string like this:
THIS IS UNCHARTABLE:
index=abc | timechart span=1h avg(response_time) values(row_num) BY host
THIS IS CHARTABLE:
index=abc | timechart span=1h avg(response_time) max(row_num) BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to include avg(row_num) and it should be calculated for each host? IF yes, the this should work.
index=abc | timechart span=1hr avg(response_time) avg_response_time avg(row_num) avg_row_num by host
Update
Does this give you what you want?
index=abc | eval host=host.":".row_num| timechart span=1hr avg(response_time) avg_response_time by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might need "chart OVER BY" instead of timechart? Or a fancy stats call. More information about what exactly you're looking for would be helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What information is the row_num field supposed to convey?
Are you wanting the average of the row_num for each host in each hour, or the max, or what?
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
