Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk timechart with average line

klischatb
Path Finder
‎06-16-2022 11:10 PM

Hello everyone!

I want to combine two searches or find another solution. 🙂

Here my problem:
I need a timechart where i can show the occurences of some ID´s (example for an ID: 345FsdEE344FED- 354235werfDF2) and put an average line over it.

Graph Idea:
Orange: Timechart with a distinct count for the ID´s
Green: Stats with average for the count of the ID´s

klischatb_0-1655445769136.png

 

 

 

index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time

 

 

For the timeframe i want to be flexibel but for the span 15 minutes are ok.

Thank you all a lot and have a nice day.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 12:52 AM 
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 12:52 AM 
index=example_dev 
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid by _time
| eventstats avg(count_of_testid) as average_dc
Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-17-2022 02:16 AM

This works!

Thank you very much.

@ITWhisperer 

and thank you too. @gcusello 

Have a nice day.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2022 11:26 PM

Hi @klischatb,

you can use the join command as used in the License Consuption report, or append, like the following example that I tried on my environemtn and runs:

index=_internal 
| bin span=10m _time
| stats max(linecount) AS linecount BY _time
| append [ search 
   index=_internal 
   | bin span=10m _time
   | stats avg(linecount) AS average BY _time 
   ]
| stats values(linecount) AS linecount values(average) AS average BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-16-2022 11:52 PM

Unfortunately, this does not work, but thank you very much for this information.
The IDs are not numeric fields, so the max command will not work.
I had thought about eventstats, but I couldn't find a solution with testing.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-17-2022 12:25 AM

Hi @klischatb,

you could try to make the avg of dc(TEST_ID), something like this:

index=your_index
| bin span=1m _time
| stats dc(TEST_ID) as count_of_testid BY _time
| append [ search 
   index=your_index
   | bin span=1m _time
   | stats avg(dc(TEST_ID)) as avg_of_dc_testid BY _time 
   ]
| stats values(count_of_testid) AS count_of_testid values(avg_of_dc_testid) AS avg_of_dc_testid BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

klischatb
Path Finder
‎06-16-2022 11:12 PM

I tried to adapt this solutions but for my ID´s i didnt found the right way to do it.
https://community.splunk.com/t5/Splunk-Search/How-to-overlay-a-straight-line-showing-the-average-tim...

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...