Hello,
I am working with the timechart command on my following query and I am running into some problems.
I am trying to compute:
timechart span=15m sum(ofAField) as sumOfField, avg(sumOfField) as avgOfField by task
My problem with this one is that when I run it. I get the correct output for the first task but the out for the rest of the task are wrong. I am assuming that for the rest of the tasks only the sum portion of the time chart query is being calculated and not the avg. For background context there are about 11 different task this time chart is being grouped by.
TIA
If I understand you correctly, you are getting the sum of "ofAField" in a 15 minute period. In that case, what exactly should the average show for that 15 minute period - I am assuming you are looking for a flat line of the average across your time range.
In that case, you would do this
| makeresults count=1000
| streamstats c
| eval _time=_time-(c*10)
| eval task=mvindex(split("taskA,taskB,taskC,taskD", ","), random() % 4)
| eval ofAfield=random() % 100
| timechart span=15m sum(ofAfield) as sumofAfield by task
| eventstats avg(*) as avg_*
The last two lines are what you want, i.e. you first take the sum of 'ofAfield" and then use eventstats to compute the average
Then using a bar chart with an overlay of the average fields you can produce this sort of output - is this what you wanted?
I'm 99% sure you can't daisy-chain expressions like that - at least not successfully. Try computing the sum and average in different commands, something like this:
| bin span=15m _time
| stats sum(ofAField) as sumOfField by _time,task
| timechart span=15m avg(sumOfField) as avgOfField by task
Hi,
Thank you for your input. I tried you suggestion but I get the same error as when I daisy-chain them.
Please tell us more about the error. What results are expected and what do you get?