Solved: Apply a factor to count in timechart

splunkprimeriti · ‎02-08-2014

Hi.

I'm triying to correlate in a time chart number of visits with average response time but time is in milisecons and visits in thousands, so y want to aply a factor to count thousands instead of visits, but seems I can not apply directly to a count. I also tried to eval it previously but still getting invalid command.

so how do I apply a factor to a count in order to reduce its magnitude for a timechart? I'm using splunkstorm

somesoni2 · ‎02-08-2014

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN

View solution in original post

somesoni2 · ‎02-08-2014

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN

Ayn · ‎02-08-2014

How did you try eval? That's probably how you would achieve this.

Apply a factor to count in timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!