I am trying to display the response times of services for the last 7 days in a chart , but I want to round the response time .
for example I only want 2 digits to be displayed after decimal .
My query :-
| chart avg(response_time) over services by Date
| foreach * [eval response_time = round(response_time,2)]
But the above query doesn't work for me
@navd while using foreach as a template you would need to use <<FIELD>>
to replace template value for eval. Since you have used chart
... over services by Date
. Your first column will be services and other Columns would be Date field. Following is what you can try
<yourBaseSearch>
| chart avg(response_time) over services by Date
| rename * as avg_*
| rename avg_services as services
| foreach avg_* [eval "<<FIELD>>"= round('<<FIELD>>',2)]
| rename avg_* as *
Following is a run anywhere search example based on Splunk's _internal index similar to your query:
index=_internal sourcetype=splunkd
| chart avg(date_second) as date_second by component date_hour
| rename * as avg_*
| rename avg_component as component
| foreach avg* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
| rename avg_* as *
@navd while using foreach as a template you would need to use <<FIELD>>
to replace template value for eval. Since you have used chart
... over services by Date
. Your first column will be services and other Columns would be Date field. Following is what you can try
<yourBaseSearch>
| chart avg(response_time) over services by Date
| rename * as avg_*
| rename avg_services as services
| foreach avg_* [eval "<<FIELD>>"= round('<<FIELD>>',2)]
| rename avg_* as *
Following is a run anywhere search example based on Splunk's _internal index similar to your query:
index=_internal sourcetype=splunkd
| chart avg(date_second) as date_second by component date_hour
| rename * as avg_*
| rename avg_component as component
| foreach avg* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
| rename avg_* as *
This worked for me , but is there a way to sort the result in asc or desc order ?
@navd your Date field is String time so sorting would depend on what Date field looks like... for example
YYYY/MM/DD
format date will get sorted correctly however DD/MM/YYYY
will not. So you might have to apply Serial number to your Date field before Chart and remove the same after Chart command.
For us to assist you better, you will need to provide Date field sample values and also current output vs expected output result.
I am using this | eval Date=strftime(_time, "%Y-%m-%d") to display the Date as YYYY/MM/DD
@niketnilay so with the above query my output looks something like below one . Now want to actually display these responsetime values in asc or desc order , so how do I sort them
165565
125
44664646.23
1.1