I am having the chart with durations, I want to add a line over the chart with values as avg(duration). I used below query, it works perfectly.
index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" | dedup processLogId| sort -splunkId |search endDate !=null AND status='COMPLETED' |eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
|eval _time=start_epoch
|eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
|eval duration=round((end_epoch-start_epoch)/60)
| chart values(duration) as duration by processLogId | eventstats avg(duration) as avg_duration
But now my requirement was changed that, Chart should based on last 30 days(may vary) and trendline should only based on last 7 days.
Kindly help me to do it
hey @karthi
I got the answer for this question try the same search:
index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" | dedup processLogId| sort -splunkId |search endDate !=null AND status='COMPLETED' |eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
|eval _time=start_epoch
|eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
|eval duration=round((end_epoch-start_epoch)/60)
| chart values(duration) as duration by processLogId | eventstats avg(duration) as avg_duration
And then go to format>>chart overlay>>overlay>>select avg_duration
OR in XML just put <option name="charting.chart.overlayFields">avg_duration</option>
let me know if this helps!
hey @karthi
I got the answer for this question try the same search:
index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||" | dedup processLogId| sort -splunkId |search endDate !=null AND status='COMPLETED' |eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
|eval _time=start_epoch
|eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
|eval duration=round((end_epoch-start_epoch)/60)
| chart values(duration) as duration by processLogId | eventstats avg(duration) as avg_duration
And then go to format>>chart overlay>>overlay>>select avg_duration
OR in XML just put <option name="charting.chart.overlayFields">avg_duration</option>
let me know if this helps!
@mayurr98 Where can I give the time range for the trendline, because the time range for the chart and trendline is different right?
then do this with the settings as told above!
index=cloudfoundry sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||"
| dedup processLogId
| sort -splunkId
| search endDate !=null AND status='COMPLETED'
| eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
| eval _time=start_epoch
| eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
| eval duration=round((end_epoch-start_epoch)/60)
| chart values(duration) as duration by processLogId
| appendcols
[ search index=cloudfoundry earliest=-7d@h latest=now sourcetype=cl**** "cf_foundation=px**" "cf_org_name=Co***" "cf_space_name=de***" "cf_app_name=splunk-log****" "||splunk-logger||"
| dedup processLogId
| sort -splunkId
| search endDate !=null AND status='COMPLETED'
| eval start_epoch=strptime(startDate,"%Y-%m-%d %H:%M:%S.%1N")
| eval _time=start_epoch
| eval end_epoch=strptime(endDate,"%Y-%m-%d %H:%M:%S.%1N")
| eval duration=round((end_epoch-start_epoch)/60)
| chart values(duration) as duration by processLogId
| eventstats avg(duration) as avg_duration]
| filldown avg_duration