Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with timechart after a join

gferrazzano
New Member
‎08-14-2018 01:17 PM

My base search is just building a timechart of 3 utilization rates over time. Two rates come from one source, one from another via a join. Seems to work fine.

index=XXXX sourcetype="XXXX"
| eval Booked_tilization=substr(BookedUtilization , 1, len(BookedUtilization )-1)
| eval mytime=strptime(MonthYear, "%m/%d/%Y")
| eval _time=mytime
| eval "Room GUID"=substr(SynergyID , 1, len(SynergyID )-10)
| lookup XXXXXX.csv "Room GUID"
| join type=outer "System Name" [search index=XXXX sourcetype="XXXXX" | rename "Endpoint Name" as "System Name"]
| timechart span=1mon eval(round(avg(BookedUtilization),2)) as "Booked Utilization %" eval(round(avg(PanelUtilization),2)) as "Panel Utilization %" eval(round(avg('Utilization Rate'),2)) as "VC Utilization %"

alt text

However, if I specify a room number, the first two still work but the third breaks and gives you a repeating number. The number it gives (36.85) is the average for that room over all months.

alt text

Any guidance is appreciated!

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...