Splunk Search

Timechart with multiple fields

imthesplunker
Path Finder

Hi , I need to add one more field "row_num" in the same timechart

Search query is
index=abc | timechart span=1hr avg(response_time) by host

row_num contains 30 ,40,25,15,.....

Thanks.

0 Karma

imthesplunker
Path Finder

Thankyou all for the responses .Somesoni2 and woodcock , i am getting the timechart for both response_time and row_num but not as expected .
I am looking for is

when i hover into the chart , it gives

1)date and time
2)avg(response_time) with values .

can max(row_num) also included along with the other two when i hover ?

0 Karma

woodcock
Esteemed Legend

With my answer (the "chartable" one), you will get TWO lines for each host: 1 line for the avg(response_time) and another for max(row_num). There is no way to stuff 2 separate values into a single line (see the "unchartable" commentary in my answer).

0 Karma

woodcock
Esteemed Legend

If you are going to use the visualization tab, you need to make sure that all of your "things" have a single numerical value. You can gather as many "things" as you like just by adding them in a string like this:

THIS IS UNCHARTABLE:

index=abc | timechart span=1h avg(response_time) values(row_num) BY host

THIS IS CHARTABLE:

index=abc | timechart span=1h avg(response_time) max(row_num) BY host
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You want to include avg(row_num) and it should be calculated for each host? IF yes, the this should work.

index=abc | timechart span=1hr avg(response_time) avg_response_time avg(row_num) avg_row_num by host

Update

Does this give you what you want?

index=abc | eval host=host.":".row_num| timechart span=1hr avg(response_time) avg_response_time by host
0 Karma

sowings
Splunk Employee
Splunk Employee

Might need "chart OVER BY" instead of timechart? Or a fancy stats call. More information about what exactly you're looking for would be helpful.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

What information is the row_num field supposed to convey?

Are you wanting the average of the row_num for each host in each hour, or the max, or what?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...