- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show the Minimum and Maximum duration for l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to show the Minimum and Maximum duration for last 90 days in a timechart?
Hello guys
I am displaying a TimeChart of average of Duration and a Baseline for last 30 days..It is working properly.
Problem :- But now I need to show Min and Max of Duration for Last 90 days in the same timechart. How can I do this..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this to the end of your search:
| eval _min=99999999, _max=-99999999
| foreach * [ eval _min = min(_min, <<FIELD>>), _max = max(_max,<<FIELD>>) ]
| rename _min AS MIN _max AS MAS
This adds 2 new lines to your existing chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcock
Thanks for the reply but I think we are not on the same page about the problem I mentioned.
I am displaying a data for last 30 days in a chart. in the same chart, I need to display Max and min of last 90 days as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without much info, you can try like this.
your current search giving _time average and baseline fields for last 30 days
| appendcols [your search to get min and max for last 90 days]
| filldown min max
There may be better/efficient options but we can only suggest based on your current search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2 for reply
But can u tell me how to add the condition for last 90 days because in my time picker, I have to select last 30 days. Because all other data has to be from last 30 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can override the time range picker by specifying the time range inline in 90 days subsearch. Like this
index=foo earliest=-90d@d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do this at the very end before the timechart. It will add the exact same value for minDuration and maxDuration to every event, which will allow you to display them as horizontal lines on the chart.
| eventstats min(Duration) as minDuration, max(Duration) as maxDuration
as far as the timechart command itself, it doesn't really matter whether you use min(minDuration) or avg(minDuration) or max(minDuration), since they would all be identical values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi DalJeanis
Thanks for the reply.. But I am already showing the value of last 30 days in chart and already showing a baseline of average in the same chart. Now I need to display baseline of Min and Max of last 90 days in the same chart (having other data of last 30 days)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your current search to show Average duration for 30 day? It would be possible for us to assist if we had more details of your current search.
Without having the details of whether 90 days min and max can be included in your current search, you can run a separate search in your dashboard to perform the same and then pass min and max as form tokens (for example tokMin and tokMax. In your existing search you can use the following after your current stats and then overlay the fields Max and Min.
| eval Max=$tokMin$
| eval Min=$tokMin$
However, there might be a possibility to tweak your existing query to perform the same. (On other hand, sometimes running two separate queries may run faster than a single but expensive query with join/append).
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the Reply.. Yes my current search is showing the average duration for last 30 days.. and it is working fine. But I want to add two new baseline in the same chart(showing data from last 30 days) for Min and Max from last 90 days.. I think we can do this from sub search but not able to get the right query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shot in the dark, but I just posted an answer over here that might be what you're looking for: https://community.splunk.com/t5/Splunk-Enterprise/Event-annotation-for-the-min-and-max-value-of-a-fi...
Basically I'm using a secondary annotation search for my chart to pull out the max timespan value (probably a better way to do this...) and then showing an annotation for the max value on my chart with some flavor text.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
