@aquinojason To easily summarize values over time, you can use the timechart command: index=xxxxxxx sourcetype="xxxxxx" EXPRSSN=IBM4D*
| timechart span=1d avg(MIPS) ```or max(MIPS), p90(MIPS), etc.``` Core Splunk does not include a linear trendline command, but you can create one yourself using SPL. See https://wiki.splunk.com/Community:Plotting_a_linear_trendline for an old example. Splunk Machine Learning Toolkit does include a linear regression algorithm for the fit command: index=xxxxxxx sourcetype="xxxxxx" EXPRSSN=IBM4D*
| timechart span=1d avg(MIPS) as MIPS
| fit LinearRegression MIPS from _time You can visualize your data as an area chart and then configure predicted(MIPS) as an overlay to show a linear trend. Here's an example using Splunk introspection events: | tstats max(data.normalized_pct_cpu) as pct_cpu where index=_introspection host=splunk by _time span=10s
| fit LinearRegression pct_cpu from _time I'm not sure what the red line in your chart represents. If you want to add a moving average to your chart, you can use the trendline command: | tstats max(data.normalized_pct_cpu) as pct_cpu where index=_introspection host=splunk by _time span=10s
| trendline sma6(pct_cpu)
| fit LinearRegression pct_cpu from _time
... View more