Is there any way that we can use a search to create multiple line chart? against the time? I set an interval on 300 seconds and against time, what is the best search commands that we can use ?
time : 1371459878
visibility : 1.73
windBearing : 197
windSpeed : 8.97
cloudCover : 0.97
dewPoint : 70.9
humidity : 0.55
icon : cloudy
ozone : 264.25
precipIntensity : 0
pressure : 1004.23
summary : Overcast
temperature : 90.46
Assuming that you have the fields already extracted, this is one way of doing it. In this case we're charting by _time
, which along with first()
will work more as a plotting command than an aggregation command, given that there is only one event per _time
.
your_base_search | chart first(visibility) first(dewPoint) first(temperature) first(ozone) by _time
You can also use timechart span=xxx stats_command(field) stats_command(field)
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions
Hope this helps,
Kristian
Assuming that you have the fields already extracted, this is one way of doing it. In this case we're charting by _time
, which along with first()
will work more as a plotting command than an aggregation command, given that there is only one event per _time
.
your_base_search | chart first(visibility) first(dewPoint) first(temperature) first(ozone) by _time
You can also use timechart span=xxx stats_command(field) stats_command(field)
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions
Hope this helps,
Kristian
Thanks !!!
if you want to use min/max/avg you might want to bucket
_time
, or use the timechart
. Otherwise the values will be the same (guessing you have one event per _time).
Use timechart span=XXX max(Y) avg(Y) min(Y) max(Z) avg(Z)
etc, where the span is long enough to ensure that several events get included in the time-slot.
Given search below, do you have any guidance to improve my search ?
sourcetype="NYPWeatherForecastCurrently" | chart first(current_temperature) max(current_temperature) avg(current_temperature) min(current_temperature) first(current_psi) first(current_humidity) first(current_dewpoint) first(current_visibility) first(current_windSpeed) by _time
time : 1371697655
visibility : 0.3
windBearing : 247
windSpeed : 7.16
psiAverage : 162
cloudCover : 0.38
dewPoint : 72.24
humidity : 0.57
icon : fog
ozone : 268.3
precipIntensity : 0
pressure : 1007.63
summary : Foggy
temperature : 89.95