Solved: normalize columns in timechart

splnk1391 · ‎11-04-2020

Hi all

consider this search:

source=bandwidth | timechart sum(packets_in) by host

which will produce rows indexed by a timestamp, and columns headed by hostnames.

I'd like to scale values in each column via division by the average of that column.

How should I go about it?

Many thanks.

ITWhisperer · ‎11-04-2020

Assuming 1hr buckets

source=bandwidth 
| bin span=1h _time
| stats sum(packets_in) as packets_in by host _time
| eventstats avg(packets_in) as avg_in by host
| eval packets_in=packets_in/avg_in
| xyseries _time host packets_in

View solution in original post

ITWhisperer · ‎11-04-2020

Assuming 1hr buckets

source=bandwidth 
| bin span=1h _time
| stats sum(packets_in) as packets_in by host _time
| eventstats avg(packets_in) as avg_in by host
| eval packets_in=packets_in/avg_in
| xyseries _time host packets_in

normalize columns in timechart

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation