I have a chart that shows total bytes sent on a computer. The chart seems to work, but it's hard to read. Since this number keeps increasing it's hard to read in a chart form because it's such a high number. Can I subtract the first result from all the number in my chart? That way the first plot would be 0 and the user can see the increase over time. Here is what I have now. What would I change to do that?
<chart>
<searchTemplate>sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"</searchTemplate>
<title>Bytes Sent</title>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleY.text">Bytes Sent)</option>
<option name="charting.chart">area</option>
<option name="charting.primaryAxisTitle.text"/>
<option name="displayRowNumbers">true</option>
</chart>
Like this:
sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"
| eventstats first("Bytes Sent") AS FBS
| eval "Bytes Sent" = "Bytes Sent" - FBS
Why not use delta so you have only the difference?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta
Try use this search
sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as total_bytes | delta total_bytes as "Bytes Sent" | fields -total_bytes
Very cool, I understand it now. I never even thought about making the chart like this, but I really like the idea. It seems to be easy to read and find the spikes fast.
I tried that, but it did not show the correct numbers I was expecting. I double checked and my data is correct and all the number increase. It should chart a line that continues to go up. This chart showed numbers going up and down.
It's the bytes sent over time, not the total sum of bytes sent
Like this:
sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"
| eventstats first("Bytes Sent") AS FBS
| eval "Bytes Sent" = "Bytes Sent" - FBS
Think I'm doing something wrong. I get this
Error in 'eval' command: Typechecking failed. '-' only takes numbers.
Replace | eval "Bytes Sent" = "Bytes Sent" - FBS
with | eval "Bytes Sent" = 'Bytes Sent' - FBS
Yes, I used the wrong quotes.
Perfect! got it working. Thanks for all the help.
I think that is close! The chart is showing the FBS value and not the "Bytes Sent" Sorry, I don't use Splunk very often. I'm sure I'm missing something simple.
I see the chart is showing values for both Bytes Sent and FBS. How do I remove the FBS from my chart?
See comment above.
Add this to the end
... | fields - FBS