Hi all, i try to create a scatter diagram that will show idea range of values and how many fall within it. I try use timechart but it seem like didn't work. I tried few different way already it still fail. Code below show below is the code using for extract result(show by red colour arrow in picture).
Customer="xyz" ID=yvalue |timechart span=1m avg(Value) as yvalue
|appendcols [search Customer="xyz" ID=xvalue |timechart span=1m avg(Value) as xvalue]
|table xvalue, yvalue
And i need 1 more coding for draw the result acceptable range as show at the image below:
And i wish to display the rage of it as show by black colour error in the picture. Mind to share with me how should i achieve it. Thank you very much.
Helping with this one will require us to understand more about the underlying data.
We have literally no idea what kind of values of yvalue
might be acceptable for any given xvalue
.
I did notice that you aren't really using _time
for anything, so don't use timechart
, just use stats
. Also, just in case your files ever get big, you might run into problems with the maximum record limits of a subsearch on your | append
. You can make them part of the regular search, and that problem will never occur. And, you should always tell splunk what index
(es) you want to look at.
index=foo Customer="xyz" (ID=xvalue OR ID=yvalue)
| bin _time span=1m
| xvalue=if(ID=xvalue,Value,null())
| yvalue=if(ID=yvalue,Value,null())
| stats avg(xvalue) as xvalue, avg(yvalue) as yvalue by Customer _time
| table xvalue yvalue
If there is some relationship between the xvalues and yvalues, then code like this might help you figure out what it is
| bin bins=10 xvalue as xbin
| bin bins=10 yvalue as ybin
| chart count over xbin by ybin
...or...
| bin bins=10 xvalue as xbin
| rex mode=sed field=xbin "s/-\d+$//g"
| eval xbin=tonumber(xbin)
| stats
avg(yvalue) as yavg, stdev(yvalue) as ystdev, sum(yvalue) as yweight,
perc10(yvalue) as y10, perc90(yvalue) as y90, count as ycount
by xbin
| eval series ="by xbin"
| xyseries xbin series yavg ystdev y10 y90 ycount
Hi Dal, thank you very much for your response. when i replace my code with
index=foo Customer="xyz" (ID=xvalue OR ID=yvalue)
| bin _time span=1m
| xvalue=if(ID=xvalue,Value,null())
| yvalue=if(ID=yvalue,Value,null())
it didn't work. I got an error message: Unknown search command 'xvalue'. Would you mind to share with me how to resolve it? Thank you very much
I found it need to add "Eval" in front of it.
For your information acceptable range show by black colour arrows is theoretical value calculated. Meanwhile value show by red colour arrow is value we get for experiment.