Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

time chart only computing the first part of the calculation

splunk3341
Loves-to-Learn Lots
‎01-10-2022 10:27 AM

Hello,

I am working with the timechart command on my following query and I am running into some problems.

I am trying to compute: 
timechart span=15m sum(ofAField) as sumOfField, avg(sumOfField) as avgOfField by task

My problem with this one is that when I run it. I get the correct output for the first task but the out for the rest of the task are wrong. I am assuming that for the rest of the tasks only the sum portion of the time chart query is being calculated and not the avg. For background context there are about 11 different task this time chart is being grouped by. 

TIA

Labels (3)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2022 09:59 PM

If I understand you correctly, you are getting the sum of "ofAField" in a 15 minute period. In that case, what exactly should the average show for that 15 minute period - I am assuming you are looking for a flat line of the average across your time range.

In that case, you would do this

| makeresults count=1000
| streamstats c
| eval _time=_time-(c*10)
| eval task=mvindex(split("taskA,taskB,taskC,taskD", ","), random() % 4)
| eval ofAfield=random() % 100
| timechart span=15m sum(ofAfield) as sumofAfield by task
| eventstats avg(*) as avg_*

The last two lines are what you want, i.e. you first take the sum of 'ofAfield" and then use eventstats to compute the average

Then using a bar chart with an overlay of the average fields you can produce this sort of output - is this what you wanted?

bowesmana_0-1641880742594.png

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 10:40 AM

I'm 99% sure you can't daisy-chain expressions like that - at least not successfully.  Try computing the sum and average in different commands, something like this:

| bin span=15m _time
| stats sum(ofAField) as sumOfField by _time,task
| timechart span=15m avg(sumOfField) as avgOfField by task
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunk3341
Loves-to-Learn Lots
‎01-10-2022 01:50 PM

Hi, 

Thank you for your input. I tried you suggestion but I get the same error as when I daisy-chain them.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 05:04 PM

Please tell us more about the error.  What results are expected and what do you get?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...