Hi Experts,
I am plotting a trend line with trendline command. Here is my simple search
sourcetype="Perfmon:CPU14" | timechart span=1h avg(Value) by host | trendline sma5(avg(Value)) as trend
I am just getting a chart but no trend line. Any help on this will be highly appreciated.
Thanks in advance
I'm not sure you can combine operations within a trendline calculation, e.g. | trendline sma5(avg(Value))
. Also, remember that Splunk transforms your results at each step of the search pipeline. Your timechart
command transforms your results into a table where each row is a time value and each column is one of the values of the split-by field. At this point, the split-by field no longer exists in your search results so if you could combine operations within the trendline command, the Value field is no longer present in your results. You can see this by running your search one pipe at a time.
Instead, if I understand what you're wanting to do, try something like this:
sourcetype="Perfmon:CPU14" | timechart span=1h avg(Value) by host | addtotals row=t | trendline sma5(Total) as trend | field - Total
I am trying to figure out something similar. I have multiple panels which just show a number following the calculation so we can monitor these numbers and if they go below a number we change colors in traffic light fashion. The majority use | appendpipe [| stats count | where count=0] | stats count at the end so it doesnt produce an N/A and then the stats count to count the number of instances.
What i want to do is see trendlines compared to the last 24 hours so i can see if this data is being received for example. Would really appreciate assistance as i am still elevating my knowledge of splunk thanks.
C.
This question is almost three years old and has an accepted question so you're unlikely to get an answer. You should post a new question.
I'm not sure you can combine operations within a trendline calculation, e.g. | trendline sma5(avg(Value))
. Also, remember that Splunk transforms your results at each step of the search pipeline. Your timechart
command transforms your results into a table where each row is a time value and each column is one of the values of the split-by field. At this point, the split-by field no longer exists in your search results so if you could combine operations within the trendline command, the Value field is no longer present in your results. You can see this by running your search one pipe at a time.
Instead, if I understand what you're wanting to do, try something like this:
sourcetype="Perfmon:CPU14" | timechart span=1h avg(Value) by host | addtotals row=t | trendline sma5(Total) as trend | field - Total
Thanks MuS and Wpreston,
I tried your search Wpreston, and now I can see the second line as a trend but, with this I am not able to distinguish the trend and the actual data line as both are looking similar. Can't we see or draw trend line as it has been mentioned in the following topic at he bottom please see the screen shot
The difference is that the blog post in your link timecharts a single count, meaning it only writes out one line making it easy to differentiate the trend. Your search charts a new line for each distinct value of the split by field. A couple of things you could try would be:
addtotals
and to trendline the correct field.Hi vikas_gopal,
looks like trendline
dosn't like the split by clause of timechart. If you don't need timechart
s aggregation, you can try something like this:
sourcetype="Perfmon:CPU14" | bucket _time span=1h | stats avg(Value) AS avg_value by host, _time | trendline sma5(avg_value) as trend
hope this helps ...
cheers, MuS
You're too quick for me, MuS 🙂
thanks for the quick response, but it did not work for me with this it seems both the lines are getting overlapped as I cannot see the second line which should be a trend line
That's probably because I made a typo 😉
Try this:
sourcetype="Perfmon:CPU14" | bucket _time span=1h | stats avg(Value) AS avg_value by host, _time | trendline sma5(avg_value) as trend