Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timechart by count, average(timetaken) by type

dukechandu
New Member
‎09-06-2016 08:32 AM

Hi,

i have data like below

Type count timeTakenToexceute time
abc 2 2 sec 09-01-2016, 09-02-2016
xyz 1 1 sec 09-01-2016

needed timechart based on day, i am trying like below but missing count
..... | timechart span=1d avg(timetaken) by type

please help

thanks in advance.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎09-06-2016 09:57 AM

Try like this. It will create fields like AvgTime :Type and Count :Type. E.g. AvgTime :abc, Count: xyz

..... | timechart span=1d avg(timetaken) as AvgTime count as Count by type
0 Karma
Reply

somesoni2
Revered Legend
‎09-06-2016 11:57 AM

Both Average and count fields are different entity and can possibly have different magnitude in the y-axis. Why do you want to merge both? do you want to merge both average and count for each type? If yes, then just remove by type in the above query.

0 Karma
Reply

sundareshr
Legend
‎09-06-2016 09:50 AM

Try this

... | bin span=1d _time | stats avg(timetaken) as average count by _time typ
0 Karma
Reply

dukechandu
New Member
‎09-06-2016 11:02 AM

Thank you for your answers, but the issue i am facing here for count its showing separate bar, but i need both average and count displaying in single bar, is it possible.

please find the below image, first two bars shows average time taken and second two bars shows count of each type, i want there four bars in two bars displaying average and count.

alt text

thanks in advance

Preview file
17 KB
0 Karma
Reply

sundareshr
Legend
‎09-06-2016 11:43 AM

Have you tried stacked chart?

https://docs.splunk.com/Splexicon:Stackmode

OR, overlay may be a better option

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Chartcontrols#Chart_overlay_example_.28single_...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...