I have log entries that contain, among other things, fields called AcctID and exec_time. I have a user who wants to do, essentially:
sourcetype=statslog | timechart count, avg(exec_time) by AcctID
Since I know this to not be directly possible in 4.1, I went to the strategy laid out in http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries. My search ends up being:
host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0
| stats count as cnt, avg(exec_time) as avgexec by AcctID
| eval s1="count avgexec"
| makemv s1 | mvexpand s1
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) | eval series=AcctID+":"+s1
And I get results as expected, like:
AcctID cnt avgexec s1 series yval
1 7490728 23 391.826087 count 7490728:count 23
2 7490728 23 391.826087 avgexec 7490728:avgexec 391.826087
3 5459551 22 193.954545 count 5459551:count 22
4 5459551 22 193.954545 avgexec 5459551:avgexec 193.954545
But when I add the final | xyseries _time,series,yval to the search, I get "No results found"
What am I missing?
... View more