Splunk Search

Trendline won't generate

zacksoft
Contributor

I wanted to build a trendline of my hosts response_time over _time.
But it won't generate

source=my_perf
AND (host=A OR host=B OR host=C OR host=D OR host=E)
| base query
| trendline sma4(response_time) AS resp_time

I just want to show the trendline for one host atleast. If it is possible to get it for all in one graph, that would be even awesome.

Tags (1)
0 Karma
1 Solution

DalJeanis
Legend

The part you left out (marked base query ) is needed to give you good advice.

Presumably, you are using a timechart to calculate the response_time for each unit of time. that would look perhaps like this

source=my_perf AND (host=A OR host=B OR host=C OR host=D OR host=E)
| fields host response_time
| timechart span=1m avg(response_time) by host

The trick to remember here is that after timechart, the variables are named after the hosts. In this case the records will each look like they came out of this command...

| table _time A B C D E 

...so now, to add a trend for host named A, you need a command like this...

| trendline sma4(A) as A_trend

... and if you want one for each, then you need to repeat that line for each host name in the query.


However, if you want the trend of the average, then we need to do some other magic.

On the one hand, you could use an untable command after the timechart and before the trendline, then calculate the average for each _time, then use xyseries to put them back together. However esoteric and cool that method might be, it seems a bit clumsy. Do that only if you need the average of the host response time averages, rather than an average of all transactions without regard to which host they were processed on.

What I'd do instead, is go back BEFORE the timechart, and duplicate each record with a host name of "Average". That way, the timechart will create a field that calculates the average response time for all transactions across all the hosts.

source=my_perf AND (host=A OR host=B OR host=C OR host=D OR host=E)
| fields host response_time
| eval myfan=mvrange(0,2)
| mvexpand myfan
| eval host=if(myfan=0,host,"Average")
| timechart span=1m avg(response_time) by host
| trendline sma4(Average) as Average_trend

View solution in original post

DalJeanis
Legend

The part you left out (marked base query ) is needed to give you good advice.

Presumably, you are using a timechart to calculate the response_time for each unit of time. that would look perhaps like this

source=my_perf AND (host=A OR host=B OR host=C OR host=D OR host=E)
| fields host response_time
| timechart span=1m avg(response_time) by host

The trick to remember here is that after timechart, the variables are named after the hosts. In this case the records will each look like they came out of this command...

| table _time A B C D E 

...so now, to add a trend for host named A, you need a command like this...

| trendline sma4(A) as A_trend

... and if you want one for each, then you need to repeat that line for each host name in the query.


However, if you want the trend of the average, then we need to do some other magic.

On the one hand, you could use an untable command after the timechart and before the trendline, then calculate the average for each _time, then use xyseries to put them back together. However esoteric and cool that method might be, it seems a bit clumsy. Do that only if you need the average of the host response time averages, rather than an average of all transactions without regard to which host they were processed on.

What I'd do instead, is go back BEFORE the timechart, and duplicate each record with a host name of "Average". That way, the timechart will create a field that calculates the average response time for all transactions across all the hosts.

source=my_perf AND (host=A OR host=B OR host=C OR host=D OR host=E)
| fields host response_time
| eval myfan=mvrange(0,2)
| mvexpand myfan
| eval host=if(myfan=0,host,"Average")
| timechart span=1m avg(response_time) by host
| trendline sma4(Average) as Average_trend

kmaron
Motivator

are you getting an error message that you can share?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...