I was able to accomplish that in another dashboard just showing that one value by using this search:

| stats count by QuickSearch_Status,QuickSearch_Response,Recruiter_Response | eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | table Response_Time

But now they want me to do a single value panel with colors and trends showing the value and having it change related to the time range in the time picker. I know that means I have to add the timechart or chart by time for trending to be available and that's where I'm stuck

Ok nows its starting to make sense. So are you trying to have the trend compare the past 15 minute average to the past 4 hour average?

So we dont want to look at the first value, its the last value (which is what the single value will display), and the second to the last value( which is what the trend will be based on )

As somesoni2 mentioned what timespan the trend is based on would be configured by the trendInterval setting.

But as for the value being the same it makes sense based on the query. You are bucketing averages in 15 minute spans, so searching the past hour or the past 24 hours, the last 15 minutes span will be the same between the two queries.

Maybe we are not understanding what 2 timespan averages you are trying to compare.

sorry masonmorales,

I don't have enough Karma points to attach a file

Thanks masonmorales,

I tried the search with ...base search... | eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | timechart avg(Response_Time)

The issue that I come up with now is the value shows as 0 if the timepicker preset range is set lower than "last 24 hours"

Any chance you can post 24 hours of some sample data that is being used by the timechart command? i.e.

 ...base search... | eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | table _time Response_Time

You are mentioning using timechart however Im not seeing timechart command anywhere

From the example you are providing you are splitting by _time in both the stats and chart command. Unless you are bucketing your time earlier in your query you are going to get a avg metric for each unique time value

Are each one of these fields found in a single event?
Login_Response,QuickSearch_Response,Recruiter_Response

If they are you should be able to do this below without having to use stats or chart
| eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | timechart avg(Response_Time)

Thanks cramasta

I must've copied the query after I starting trying different commands.

Those are separate fields that can be found in 1 single event. The event is generated using a script that runs every 15 mins.

I tried your suggestion and it's still not coming up with what I'm looking for. This might be easier....below is query that I have on another dashboard panel that gives me the avg response time of the selected timerange from the timepicker. The value changes correctly as I change the range. I need to be able to do this same thing within a single value panel that will change colors by set thresholds and show trending.

It's like I can get one (get the corrected averages) or the other (show value with color changes and trending) but not both in one panel.

|stats count by QuickSearch_Response,Login_Response,Recruiter_Response | eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | stats avg(eval(Response_Time)) AS Avg_Response_Time

I'm sure I'm probably just missing some to make it work correctly

Thanks again

How do you want to show the trend and against which value? What is the threshold value for it to change color?

somesoni2,

Basically these are different response times to different parts of a site. We want to add the 3 response times and get an average time using the timepicker input. So we have the thresholds for the avg total response time set up to show green < 6s, Yellow <9 and then red >9. We want the trend arrows and sparkline using a compare from a week ago.

I can get bits and pieces working but can't put it all together.

I have the threshold and sparkline/trending arrows working on the total response time but when I try to do avg response time, the value doesn't change when the timepicker changed. I can get it to show the correct avg value with the color per threshold but without being able to time chart the avg, I cant get the trending portion to show.

Hope that all made sense 🙂

Have you tried running the query outside the dashboard to validate the data set you are getting back?

Or could it be the single value panel is not hooked up to the time range picker?

Yup...I ran the query below just in the search and used the visualization tab to see what the single value chart looks like and I still get zeros until I change the range to 24 hours. It keeps grabbing the value in the last event. almost like I'm doing a timechart last instead of timechart avg

| eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | timechart avg(Response_Time)

Have you tried setting your span?

| eval Response_Time=(Login_Response+QuickSearch_Response+Recruiter_Response) | timechart span=1h avg(Response_Time)

Your script is only generating events once every 15 minutes. If you dont set a span for the timechart and search a small timeframe, it might create spans of 5 minutes, which would result in you getting some 5 minute spans with no events to calculate a average on.

Tried that and that's where some of my confusion is....or least where I see it not working correctly.

So with that search, the value stays at 4.85 secs as I change to timepicker range. With the "last 15 mins" chosen, the value is 4.85 s which makes sense to be cause that's the value in the 1 event showing. With the "last 24 hours" chosen the value stays at 4.85s even though some events show that the total responsetime was over 10s. Same goes with "last 60 mins" or "last 4 hours" chosen. The value always matches the "last 15 mins".

Let's forget about the single value and just look at the results from a last hour search and a last 24 hours. In both cases what what are the 2 last the avg values and time values that you are getting back. Thinking we have to understand the data you are getting back before trying to put it into single value.