- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Adding Outputs of a Search to Timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding Outputs of a Search to Timechart
Hi All,
I'd like to add duration and last weeks avg duration values in to timechart to help display time better, however I'm not getting accurate results with what I have. Here is the search without timechart:
index=contract_gateway sourcetype=esb_audit earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, earliest(_time) as _time, latest(_time) as end_time, latest(status) as status, by svc_context_id, bp_context_id
| eval duration=(end_time-_time)
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO
| stats avg(duration) as prev_week_avg_duration by svc_context_name]
| where duration>(2*prev_week_avg_duration)
| bucket span=10m _time | table _time, duration, prev_week_avg_duration | sort - _time
Increasing bucket span doesn't help either. I know there needs to be something like
...| timechart span=10m max(duration) as current_duration, min(duration) as prev_week_avg_duration, but this isn't working.
Any suggestions would be greatly appreciated
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is as close as I can get with the information you have provided....
index=contract_gateway sourcetype=esb_audit earliest=@d bp_bp_name=PO
| stats first(svc_context_name) as svc_context_name, range(_time) as current_duration, earliest(_time) as timestamp, latest(status) as status, by svc_context_id, bp_context_id
| bucket timestamp span=10m
| stats avg(current_duration) as current_duration by timestamp svc_context_name
| join svc_context_name type=left [ search index=contract_gateway_summary source=contract_process_summary earliest=-7d@d latest=-6d@d bp_bp_name=PO
| stats avg(duration) as prev_week_avg_duration by svc_context_name ]
| table svc_context_name timestamp current_duration prev_week_avg_duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I really appreciate the help, but this also doesn't work. The actual durations are off...there has to be a way! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are only two variables, and that is the duration and prev_week_avg_duration. Time is automatically added by the timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't have that many variables on a timechart - you only have 3 to work with:
X axis - time
Y axis - duration (in seconds, I suppose)
multiple lines based on a third variable - which one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the confusion. So what I am doing here is calculating duration of orders from today that are greater than the avg duration of orders from last week. So I am trying to add 'duration' and 'prev_week_avg_duration' to a line graph via timechart. Please let me know if that helps. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to figure out an answer to this, but I got very confused about what you actually want to see on the timechart.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
