I've looked around for an answer. Indeed, I modeled my answer after the following question:
https://answers.splunk.com/answers/225230/how-to-display-the-average-of-the-week-as-a-straig.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
I didn't get it to work, so I will ask my questions.
I have a search that gives me a timeseries of an event and a search that gives me an average. I can use an appendcols item to join the two, however, when I look at the graph, the timeseries shows up, but the average is a single dot for one timestamped value. I'd like the average to be a line across the chart.
Here's the command I'm running:
<query> | stats SUM(COUNT_ONE) by StartTime, ODATE, MODEL | sort by ODATE, StartTime | appendcols [ search <query> | stats AVG(COUNT_ONE) as new by MODEL]
As you can see, the last column only has one value for the average. If I can repeat this value on each row, I'll get what I want in my graph.
Thoughts?
... View more