Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart with two different spans

lukeh
Contributor
‎10-29-2013 05:05 PM

Hi 🙂

I have a chart with one line for Usage (span=1d) and another line for 95th_Percentile (span=30d) but I am using "append" with "makecontinuous _time" - there has gotta be a better way...

Any help would be greatly appreciated 🙂

index=summary_blah report="CDN1"
| addtotals *Octets*
| fields + Total
| timechart span=1d max(Total) as Usage
| append [search index=summary_blah report="CDN1"
| addtotals *Octets*
| fields + Total
| timechart span=30d perc95(Total) as 95th_Percentile]
| eval Licence_Limit=96
| makecontinuous _time

Thanks in advance,

Luke 🙂

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-29-2013 05:39 PM

I would pursue something like this.

it gets data off disk only once, does the extra-pass-magic in eventstats instead of gunzipping raw events twice.
I've kinda ignored your addtotals Octets here, but I think you can figure out how to get it back. 

  index=summary_mediacap report="CDN1"
| eval day=_time 
| bin day span="1d"
| eval 30DayBucket=_time
| bin 30DayBucket span=30d
| eventstats max(Total) as Usage by day
| eventstats perc95(Total) as 95th_Percentile by 30DayBucket 
| eval Licence_Limit=96
| timechart span="1d" last(Licence_Limit) as Licence_Limit last(95th_Percentile) as 95th_Percentile last(Usage) as Usage

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-29-2013 05:39 PM

I would pursue something like this.

it gets data off disk only once, does the extra-pass-magic in eventstats instead of gunzipping raw events twice.
I've kinda ignored your addtotals Octets here, but I think you can figure out how to get it back. 

  index=summary_mediacap report="CDN1"
| eval day=_time 
| bin day span="1d"
| eval 30DayBucket=_time
| bin 30DayBucket span=30d
| eventstats max(Total) as Usage by day
| eventstats perc95(Total) as 95th_Percentile by 30DayBucket 
| eval Licence_Limit=96
| timechart span="1d" last(Licence_Limit) as Licence_Limit last(95th_Percentile) as 95th_Percentile last(Usage) as Usage
Reply
Solved! Jump to solution

lukeh
Contributor
‎10-29-2013 05:48 PM

Thanks Nick!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...