Answers for "Weirdness with timechart, rolling averages, all I really want are the actual values."
https://answers.splunk.com/answers/37919/weirdness-with-timechart-rolling-averages-all-i-really-want-are-the-actual-values.html
The latest answers for the question "Weirdness with timechart, rolling averages, all I really want are the actual values."Answer by Ayn
https://answers.splunk.com/answering/37946/view.html
First, some explanation on how `timechart` behaves: `timechart` needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 of these events occurring within 1 minute. Splunk needs to know how to give you ONE value for "Value", even though there are 3 values of each. So, when you run `timechart` without any timespan explicitly defined, Splunk sets a timespan and then performs the chosen statistical operation on the field values found in all the events for that interval. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats
There's also a second way to do this that might be better in your case, which is to produce a table containing timestamps and values yourself and then feed them into the chart.
... | table _time "Code Red" "Urgent" "Very High" "High" "Low"Tue, 10 Jan 2012 23:32:22 GMTAyn