Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: troublesome charting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have a chart that works for a time range of 60 minutes and looks like this:
sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | chart avg(avg_sec) by date_minute
This gives me an average for each minute of that hour, I would like to do the same for longer time periods but are unable to find out how. If I extend the time range it sums the same minutes for each hour and makes an average of that instead of treating every minute of each hour as a separate entity. Anyone know a fix?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use the timechart command
sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use the timechart command
sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The x axis can plot max 1000 points, and there are 1440 mins in a day. So it might be too wide. However, try to use "stats" to be sure you're getting the averages correct: sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | bucket _time span=1m | stat avg(avg_sec)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I've tried a lot of different ways now limited success. Basically what I want is to create an average that spans 1 minute in a larger time range where the chart is shown in a good way. It might be that my time range is too large when using a span of 1 minute and it simply won't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to modify the way charts deal with nulls? You might try "treat as zeros".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still seeing some odd results, seems the results change depending on how long the time range is, if I use 4 hours I get peaks around 30 and when I use 24 hours I only get peaks around 12 so the average calculations seems to differ somehow.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
