Solved: How to edit my search to show a line of an average...

SecureIA · ‎01-11-2016

Hi helpful people,

I wish to display on a column graph an average line for my search. My current search is as follows:-

host=CATSG14 "INTGWAUTH" AND "Failed login" earliest=-30d@d latest=now | timechart span=1d count

Is there anyway to show an average bar on the graph? Any help will be truly appreciated.

aljohnson_splun · ‎01-11-2016

Yes, there are lots of ways. A simple way would be to use trendline:

host=CATSG14 "INTGWAUTH" AND "Failed login" earliest=-30d@d latest=now 
| timechart span=1h count
| trendline sma5(count) as 5hour_average

You can change the 5 of sma5 to something else, e.g. a 24 hour average with | trendline sma24(count)

Docs for trendline can be found here.

aljohnson_splun · ‎01-11-2016

Yes, there are lots of ways. A simple way would be to use trendline:

host=CATSG14 "INTGWAUTH" AND "Failed login" earliest=-30d@d latest=now 
| timechart span=1h count
| trendline sma5(count) as 5hour_average

You can change the 5 of sma5 to something else, e.g. a 24 hour average with | trendline sma24(count)

Docs for trendline can be found here.

SecureIA · ‎01-11-2016

thanks for your reply aljohnson!! I tried this, however I simply get another bar instead of a trendline 😕

SecureIA · ‎01-12-2016

Thanks alot guys, I managed this 🙂

somesoni2 · ‎01-11-2016

You would have to select the overlay option to set the new field as overlay field. See here

How to edit my search to show a line of an average over the last 30 days on a column graph?