- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart with multiple fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart with multiple fields
Hi , I need to add one more field "row_num" in the same timechart
Search query is
index=abc | timechart span=1hr avg(response_time) by host
row_num contains 30 ,40,25,15,.....
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou all for the responses .Somesoni2 and woodcock , i am getting the timechart for both response_time and row_num but not as expected .
I am looking for is
when i hover into the chart , it gives
1)date and time
2)avg(response_time) with values .
can max(row_num) also included along with the other two when i hover ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With my answer (the "chartable" one), you will get TWO lines for each host: 1 line for the avg(response_time) and another for max(row_num). There is no way to stuff 2 separate values into a single line (see the "unchartable" commentary in my answer).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are going to use the visualization tab, you need to make sure that all of your "things" have a single numerical value. You can gather as many "things" as you like just by adding them in a string like this:
THIS IS UNCHARTABLE:
index=abc | timechart span=1h avg(response_time) values(row_num) BY host
THIS IS CHARTABLE:
index=abc | timechart span=1h avg(response_time) max(row_num) BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to include avg(row_num) and it should be calculated for each host? IF yes, the this should work.
index=abc | timechart span=1hr avg(response_time) avg_response_time avg(row_num) avg_row_num by host
Update
Does this give you what you want?
index=abc | eval host=host.":".row_num| timechart span=1hr avg(response_time) avg_response_time by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might need "chart OVER BY" instead of timechart? Or a fancy stats call. More information about what exactly you're looking for would be helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What information is the row_num field supposed to convey?
Are you wanting the average of the row_num for each host in each hour, or the max, or what?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
