Splunk Search

Why am I just getting a chart, but no trend line after using trendline command?

vikas_gopal
Builder

Hi Experts,
I am plotting a trend line with trendline command. Here is my simple search

sourcetype="Perfmon:CPU14" | timechart span=1h avg(Value) by host | trendline sma5(avg(Value)) as trend

I am just getting a chart but no trend line. Any help on this will be highly appreciated.

Thanks in advance

Tags (2)
1 Solution

wpreston
Motivator

I'm not sure you can combine operations within a trendline calculation, e.g. | trendline sma5(avg(Value)). Also, remember that Splunk transforms your results at each step of the search pipeline. Your timechart command transforms your results into a table where each row is a time value and each column is one of the values of the split-by field. At this point, the split-by field no longer exists in your search results so if you could combine operations within the trendline command, the Value field is no longer present in your results. You can see this by running your search one pipe at a time.

Instead, if I understand what you're wanting to do, try something like this:

sourcetype="Perfmon:CPU14" | timechart span=1h avg(Value) by host | addtotals row=t | trendline sma5(Total) as trend | field - Total

View solution in original post

colinmchugo
Explorer

I am trying to figure out something similar. I have multiple panels which just show a number following the calculation so we can monitor these numbers and if they go below a number we change colors in traffic light fashion. The majority use | appendpipe [| stats count | where count=0] | stats count at the end so it doesnt produce an N/A and then the stats count to count the number of instances.

What i want to do is see trendlines compared to the last 24 hours so i can see if this data is being received for example. Would really appreciate assistance as i am still elevating my knowledge of splunk thanks.

C.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This question is almost three years old and has an accepted question so you're unlikely to get an answer. You should post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

wpreston
Motivator

I'm not sure you can combine operations within a trendline calculation, e.g. | trendline sma5(avg(Value)). Also, remember that Splunk transforms your results at each step of the search pipeline. Your timechart command transforms your results into a table where each row is a time value and each column is one of the values of the split-by field. At this point, the split-by field no longer exists in your search results so if you could combine operations within the trendline command, the Value field is no longer present in your results. You can see this by running your search one pipe at a time.

Instead, if I understand what you're wanting to do, try something like this:

sourcetype="Perfmon:CPU14" | timechart span=1h avg(Value) by host | addtotals row=t | trendline sma5(Total) as trend | field - Total

vikas_gopal
Builder

Thanks MuS and Wpreston,
I tried your search Wpreston, and now I can see the second line as a trend but, with this I am not able to distinguish the trend and the actual data line as both are looking similar. Can't we see or draw trend line as it has been mentioned in the following topic at he bottom please see the screen shot

0 Karma

wpreston
Motivator

The difference is that the blog post in your link timecharts a single count, meaning it only writes out one line making it easy to differentiate the trend. Your search charts a new line for each distinct value of the split by field. A couple of things you could try would be:

  • Remove the split by field in your timechart command and change the search to not use addtotals and to trendline the correct field.
  • Leave the search the way it is and change the visualization to a bar or stacked bar, then use Splunk 6's Chart Overlay (in the format dropdown) to overlay the trend as a line.

MuS
SplunkTrust
SplunkTrust

Hi vikas_gopal,

looks like trendline dosn't like the split by clause of timechart. If you don't need timecharts aggregation, you can try something like this:

 sourcetype="Perfmon:CPU14" | bucket _time span=1h | stats avg(Value) AS avg_value by host, _time | trendline sma5(avg_value) as trend

hope this helps ...

cheers, MuS

wpreston
Motivator

You're too quick for me, MuS 🙂

vikas_gopal
Builder

thanks for the quick response, but it did not work for me with this it seems both the lines are getting overlapped as I cannot see the second line which should be a trend line

0 Karma

MuS
SplunkTrust
SplunkTrust

That's probably because I made a typo 😉

Try this:

sourcetype="Perfmon:CPU14" | bucket _time span=1h | stats avg(Value) AS avg_value by host, _time | trendline sma5(avg_value) as trend
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...