Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart with two different spans

lukeh
Contributor
‎10-29-2013 05:05 PM

Hi 🙂

I have a chart with one line for Usage (span=1d) and another line for 95th_Percentile (span=30d) but I am using "append" with "makecontinuous _time" - there has gotta be a better way...

Any help would be greatly appreciated 🙂

index=summary_blah report="CDN1"
| addtotals *Octets*
| fields + Total
| timechart span=1d max(Total) as Usage
| append [search index=summary_blah report="CDN1"
| addtotals *Octets*
| fields + Total
| timechart span=30d perc95(Total) as 95th_Percentile]
| eval Licence_Limit=96
| makecontinuous _time

Thanks in advance,

Luke 🙂

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-29-2013 05:39 PM

I would pursue something like this.

it gets data off disk only once, does the extra-pass-magic in eventstats instead of gunzipping raw events twice.
I've kinda ignored your addtotals Octets here, but I think you can figure out how to get it back. 

  index=summary_mediacap report="CDN1"
| eval day=_time 
| bin day span="1d"
| eval 30DayBucket=_time
| bin 30DayBucket span=30d
| eventstats max(Total) as Usage by day
| eventstats perc95(Total) as 95th_Percentile by 30DayBucket 
| eval Licence_Limit=96
| timechart span="1d" last(Licence_Limit) as Licence_Limit last(95th_Percentile) as 95th_Percentile last(Usage) as Usage

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-29-2013 05:39 PM

I would pursue something like this.

it gets data off disk only once, does the extra-pass-magic in eventstats instead of gunzipping raw events twice.
I've kinda ignored your addtotals Octets here, but I think you can figure out how to get it back. 

  index=summary_mediacap report="CDN1"
| eval day=_time 
| bin day span="1d"
| eval 30DayBucket=_time
| bin 30DayBucket span=30d
| eventstats max(Total) as Usage by day
| eventstats perc95(Total) as 95th_Percentile by 30DayBucket 
| eval Licence_Limit=96
| timechart span="1d" last(Licence_Limit) as Licence_Limit last(95th_Percentile) as 95th_Percentile last(Usage) as Usage
Reply
Solved! Jump to solution

lukeh
Contributor
‎10-29-2013 05:48 PM

Thanks Nick!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...