unable to use where >= with timechart
timechart max(value) AS la by User | eval la=round(la,2) | where la >=10
If the span for your timechart is fixed (not using splunk default ) then try this
your base search | bucket span=<<yourSpan>> _time | stats max(value) as la by _time user | eval la=round(la,2) | where la >=10 | xyseries _time user la
OR
your base search | bucket span=<<yourSpan>> _time | stats max(value) as la by _time user | eval la=round(la,2) | where la >=10 | timechart span=<<yourSpan>> max(la) by user
thank you for your response. This is close however.. I have a table which calculates the avg as below.
stats avg(value) AS la BY host User | eval la=round(la,2) | where la >=0
Also as suggested by you i want to display timechart. Tried below but i see entries from below search but not from the table above. Is it because its _time ? (i.e if i see 10 users from timechart, i see only one from the previous table. both need to match)
stats avg(value) as la by _time host User | eval la=round(la,2) | where la >=0 | timechart avg(la) by User
As @jrodman said, timechart by User does not give you a field named la
but fields named after each User. The "as" clause is used for legend only. I think what you wanted is to find
value
of each User
;For those users whose maximum value in a given time span is greater than or equal to 10 and only for those, display users and their respective maximum values.
Note the above also imply two logical consequences:
Users whose maximum value has never reached 10 in the entire search period will never be shown.
For users appearing on the chart, their results will show 0 in spans of time in which their maxima don't reach 10.
The logic can be reversed to produce the exact same output, i.e., by limiting timechart only to those users who ever showed a value or values reaching or exceeding 10.
| where value >= 10 | timechart max(value) as la by User | eval la=round(la,2)
Because you are seeking maxima and not average, where you perform rounding doesn't affect the outcome. In other words, you can do
| where value >= 10 | eval value=round(value,2) | timechart max(value) as la by User
to get the same results although the first form is more efficient.
When you say max(value) as la by User
, you get the values as the value of 'User', not as 'la'. If you have multiple fields, like |timechart max(value) as mv, avg(value) as av by user
then you get the values as fields called things like mv:user1 and av:user1.
Effectively a single timechart aggterm as name by field
is not a meaningful 'as' scenario, since you would want the data plotted by the field values, and we express the data as a single xyseries. You can say |where user1 >=10. I'm not sure how to construct the implied goal, but suspect it involves bringing the eval expression into the timechart.