How to get trendline to show results for first 7 d...

sswansonchtr · ‎06-11-2014

I am working with the 'trendline' command and have it working. Here is my search:

index=logs host=192.168.1.1 earliest=-37d
| timechart span=1d count as Total
| trendline sma7(Total) as Trend

The only issue is the 'Trend' field has no results for the 1st 7 days of my run so the chart shows a broken line. That is why I adjusted to 'earliest=-37d' so I can actually see the full 30 day trend, but I still have a chart that looks incomplete. I want the chart to look complete and I see this being a possibility in one of 2 ways: 1) Have trendline compute the full set of days somehow or 2) Be able to search on one timeframe but display/timechart on another (ie. search on the -37 days and show only -30 days).

MuS · ‎09-15-2014

Hi sswansonchtr,

if you want to show the complete trendline on your timechart, simply apped | where Trend>0 at the end of your search like this:

index=logs host=192.168.1.1 earliest=-37d | timechart span=1d count as Total | trendline sma7(Total) as Trend | where Trend>0

This way you would miss the first 7 days in your example, but I think this is exactly what you tried to achieve.

hope this helps ...

cheers, MuS

How to get trendline to show results for first 7 days?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...