Solved: How to get the overall average and average per 5 m...

angersleek · ‎06-06-2018

I have a timechart which currently outputs the average value for every 5 minutes over a period of time for the field "SERVICE_TIME_TAKEN" using following query.

service=service1 | timechart span=5m avg(SERVICE_TIME_TAKEN) | fillnull

I want to add a second line on this same time chart which shows the overall average value. This would be a single value which draws a straight line on the chart.

If I make a separate query, I am able to get this single value using following query.

service=service1 | chart avg(SERVICE_TIME_TAKEN)

How can I combine these 2 queries to to show the data on a single time chart?

Tried the following but it only shows the line with the 5 min average.

service=service1 | timechart span=5m avg(SERVICE_TIME_TAKEN) as service_time | eventstats avg(SERVICE_TIME_TAKEN) as overall_service_time  | fillnull

This image depicts what I am looking for.
Orange line is the 5 mins average and blue line is the overall average.

renjith_nair · ‎06-06-2018

Does this work for you ?

service=service1 |fields _time,SERVICE_TIME_TAKEN|eventstats avg(SERVICE_TIME_TAKEN) as overall_service_time  | timechart span=5m avg(SERVICE_TIME_TAKEN) as service_time ,first(overall_service_time) as overall_service_time

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎06-06-2018

Does this work for you ?

service=service1 |fields _time,SERVICE_TIME_TAKEN|eventstats avg(SERVICE_TIME_TAKEN) as overall_service_time  | timechart span=5m avg(SERVICE_TIME_TAKEN) as service_time ,first(overall_service_time) as overall_service_time

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to get the overall average and average per 5 minutes on a Time Chart?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?