Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

time chart only computing the first part of the calculation

splunk3341
Loves-to-Learn Lots
‎01-10-2022 10:27 AM

Hello,

I am working with the timechart command on my following query and I am running into some problems.

I am trying to compute: 
timechart span=15m sum(ofAField) as sumOfField, avg(sumOfField) as avgOfField by task

My problem with this one is that when I run it. I get the correct output for the first task but the out for the rest of the task are wrong. I am assuming that for the rest of the tasks only the sum portion of the time chart query is being calculated and not the avg. For background context there are about 11 different task this time chart is being grouped by. 

TIA

Labels (4)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2022 09:59 PM

If I understand you correctly, you are getting the sum of "ofAField" in a 15 minute period. In that case, what exactly should the average show for that 15 minute period - I am assuming you are looking for a flat line of the average across your time range.

In that case, you would do this

| makeresults count=1000
| streamstats c
| eval _time=_time-(c*10)
| eval task=mvindex(split("taskA,taskB,taskC,taskD", ","), random() % 4)
| eval ofAfield=random() % 100
| timechart span=15m sum(ofAfield) as sumofAfield by task
| eventstats avg(*) as avg_*

The last two lines are what you want, i.e. you first take the sum of 'ofAfield" and then use eventstats to compute the average

Then using a bar chart with an overlay of the average fields you can produce this sort of output - is this what you wanted?

bowesmana_0-1641880742594.png

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 10:40 AM

I'm 99% sure you can't daisy-chain expressions like that - at least not successfully.  Try computing the sum and average in different commands, something like this:

| bin span=15m _time
| stats sum(ofAField) as sumOfField by _time,task
| timechart span=15m avg(sumOfField) as avgOfField by task
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunk3341
Loves-to-Learn Lots
‎01-10-2022 01:50 PM

Hi, 

Thank you for your input. I tried you suggestion but I get the same error as when I daisy-chain them.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 05:04 PM

Please tell us more about the error.  What results are expected and what do you get?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...