Solved: Re: help to timechart after an append command

jip31 · ‎03-15-2022

hello

I use a search with the structure like below in order to timechart events from 2 different search

As you can see, I need to perc90 the events before doing a timechart

My question concerns the timechart

Is there a way to timechart the events without using an avg function?

index=toto
| search abc <=1000
| stats perc90(abc) as "titi" by _time 
| append 
    [ search index=toto 
    | search abc >= 1000 
    | stats perc90(abc) as "tutu" by _time ] 
| timechart span=1m avg("titi") as "titi", avg("tutu") as "tutu"

Thanks

gcusello · ‎03-15-2022

Hi @jip31,

did you tried something like this?

index=toto
| eval kind=if(abc<=1000,"titi","tutu")
| timechart perc90(abc) BY kind

Ciao.

Giuseppe

View solution in original post

gcusello · ‎03-15-2022

Hi @jip31,

did you tried something like this?

index=toto
| eval kind=if(abc<=1000,"titi","tutu")
| timechart perc90(abc) BY kind

Ciao.

Giuseppe

jip31 · ‎03-15-2022

Hi Gcusello, good idea thanks

gcusello · ‎03-15-2022

Hi @jip31,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

help to timechart after an append command

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

help to timechart after an append command

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar