I have a timechart which currently outputs the average value for every 5 minutes over a period of time for the field "SERVICE_TIME_TAKEN" using following query.
service=service1 | timechart span=5m avg(SERVICE_TIME_TAKEN) | fillnull
I want to add a second line on this same time chart which shows the overall average value. This would be a single value which draws a straight line on the chart.
If I make a separate query, I am able to get this single value using following query.
service=service1 | chart avg(SERVICE_TIME_TAKEN)
How can I combine these 2 queries to to show the data on a single time chart?
Tried the following but it only shows the line with the 5 min average.
service=service1 | timechart span=5m avg(SERVICE_TIME_TAKEN) as service_time | eventstats avg(SERVICE_TIME_TAKEN) as overall_service_time | fillnull
This image depicts what I am looking for.
Orange line is the 5 mins average and blue line is the overall average.
chart link
You can use eventstats first to get overall_service_time. This will add this field to every event. Next use timechart to get average values based on whatever span you want along with overall_service_time.
service=service1
| fillnull value=0
| eventstats avg(SERVICE_TIME_TAKEN) as overall_service_time
| timechart span=5m avg(SERVICE_TIME_TAKEN) as service_time, last(overall_service_time) as overall_service_time
Related
In my logs I am printing out "total_time:1.2334" (for example).
I am able to grab the time values with Splunk by using rex: | rex "total_time:(?<time>.*)" |
I want to display each total_time on a time chart (as either a line or a bar graph). However, when I try something like
| timechart values(time) it only shows a few of my data points (for example, only 3 columns are shown in the chart while there are 16 events).
Does anyone how I can display total_time best with the time on the Y axis and the occurrences on the X axis? Thanks.
The values() function displays the unique settings of the 'time' field, which means you'll see fewer than 16 columns if the same value of total_time appears more than once. Try using | timechart count by time.
I want to divide two timecharts (ideally to look also like a timechart, but something else that emphasizes the trend is also good).
I have two types of URLs and I can generate timecharts for them like this:
index=my-index sourcetype=access | regex _raw="GET\s/x/\w+" | timechart count
index=my-index sourcetype=access | regex _raw="/x/\w+/.*/\d+.*\s+HTTP" | timechart count
The purpose is to emphasize that the relative number of URLs of the second type is increasing and the relative number of URLs of the first type is decreasing.
This is why I want to divide them (ideally the second one by the first one).
For example, if the first series generates 2, 4, 8, 4 and the second one generates 4, 9, 20, 12 I want to have only one dashboard showing somehow the result 2, 2.25, 2.5, 3.
I just managed to get together those information by doing this, but not to generate a timechart and not to divide them:
index=my-index sourcetype=access
| eval type = if(match(_raw, "GET\s/x/\w+"), "new", if(match(_raw, "/x/\w+/.*/\d+.*\s+HTTP"), "old", "other"))
| table type
| search type != "other"
| stats count as "Calls" by type
I also tried some approaches using eval, but none of them work.
Try this query:
index=my-index sourcetype=access
| eval type = if(match(_raw, "GET\s/x/\w+"), "new", if(match(_raw, "/x/\w+/.*/\d+.*\s+HTTP"), "old", "other"))
| fields type
| search type != "other"
| timechart count(eval(type="new")) as "New", count(eval(type="old")) as "Old"
| eval Div=if(Old=0, 0, Old/New)
I have a Libreoffice Calc workbook for tracking writing, with 3 sheets in it. 'Time Tracking', 'Time Summary' and 'Yearly Stats'. 'Time Tracking' is where user data is entered, 'Time Summary' is a pivot table for 'Time Tracking'; and 'Yearly Stats' shows long-term progress.
Time Summary (running off some test data) looks a bit like this:
|Column A (Weeks) | ... |Column M (Total Words)
-------+-----------------------+-----+----------------------
Row 7 |02/10/17 - 08/10/17 | |3500
Row 8 |13/11/17 - 19/11/17 | |2300
Row 9 |30/04/18 - 06/05/18 | |1000
Row 10 |30/10/17 - 05/11/17 | |700
Yearly Stats looks like this:
|A |B |C
-------+--------------------+--------+----
Row 1 | |2017 |2018
Row 2 |Total Words |6500 |1000
...
Row 7 |Max Words (Week) |3500 |3500
The formula for 'Yearly Stats'.B7:C7 is currently =MAX($'Time Summary'.$M$7:$M$10), but I need to modify it to filter by the year on the column heading.
https://ask.libreoffice.org/en/question/62260/minif-and-maxif-function-in-calc/ looked to be useful, but when I tried it, the MAX from the formula was returning the MAX of ROW - being 10 - rather than ROW returning the position of the MAX value - even though it seems to work in the example file from the link.
The example formula is:
=IFERROR(INDEX($Sheet1.$J$2:$J$13,MAX(ROW($Sheet1.$J$2:$J$13)*($Sheet1.$A$2:$A$13=A2))-1,1),NA())
My formula uses RIGHT() to compare the last two characters of the column heading with the last two chars of the week in $'Time Summary':$A$7:$A$10 and is:
=IFERROR(INDEX($'Time Summary'.$M$7:$M$10,MAX(ROW('Time Summary'.$M$7:$M$10)*(RIGHT($'Time Summary'.$A7:$A$10,2)=RIGHT(B1,2)))-6,1),NA())
I have, of course, remembered to press CTRL+SHIFT+ENTER as the instructions say, to get the array in the formula to work.
So that's the explanation of my problem. What is it that I'm getting wrong?
Ok, this is a bit long-winded, but I've managed to solve the problem by using the following formula:
=IF(MAX(IF(RIGHT(INDIRECT(CONCATENATE("$'Time Summary'.$A7:$A$",COUNTIF($'Time Summary'.$A:$A,"<>''")+2)),2)=RIGHT(B1,2),INDIRECT(CONCATENATE("$'Time Summary'.$Q$",ROW(INDIRECT(CONCATENATE("$'Time Summary'.$Q7:$Q$",COUNTIF($'Time Summary'.$Q:$Q,"<>''")+5))))),0))>0,MAX(IF(RIGHT(INDIRECT(CONCATENATE("$'Time Summary'.$A$7:$A$",COUNTIF($'Time Summary'.$A:$A,"<>''")+2)),2)=RIGHT(B1,2),INDIRECT(CONCATENATE("'Time Summary'.$Q",ROW(INDIRECT(CONCATENATE("$'Time Summary'.$Q$7:$Q$",COUNTIF($'Time Summary'.$Q:$Q,"<>''")+5))))),0)),NA())
It is wrapped in an IF that replaces any 0 result with '#NA' (just for neatness of output).
Also the right half of the ranges specified make use of a calculation to figure out where the bottom row is, leaving out the total, so that's another reason it's so huge.
I have this query in sumo:
_sourceCategory=my_product
| timeslice 1h
| count by _timeslice
In my aggregates list I have a 1h difference between the data:
but in my graph I have a 15 mins segment like this:
So my question is: where does this 15 min segments come from?
Every search result includes a histogram that shows the number of results over time -- this is what your screenshot shows.
The actual results of your query will be shown below that, in the Messages/Aggregates area. Choose the Bar Chart visualisation to see the search results with your hour timeslice.
https://help.sumologic.com/Search/Search-Query-Language/Search-Operators/timeslice
I have a table built off a dataset containing timesheet data with possible multiple entries per day (day_date) for a given person. The table is grouped on day_date. The field for hours is effort_hr (see dataset and report layout below).
The table generates a single row with one column for each day (as expected).
For each day I want only one value (total hours for person) so the expression is Sum(Fields!effort_hr.Value) This is properly adding up all the hours for each day.
Now I add a total column at the end of the row to see ALL the hours for the whole timesheet. The expression in the total column cell is Sum(Fields!effort_hr.Value) which is exactly the same as the daily ones. Again, this is adding up all hours for the timesheet.
So this is working great.
I now need a new row that only shows a max of 8 hours per day. So if the person works less, it shows less, but if the person works more, show a max of 8.
In this case, the daily column expression is:
IIF(Sum(Fields!effort_hr.Value)>8.0,8.0,Sum(Fields!effort_hr.Value))
And again, it displays perfectly for each day.
The total for this row is where I run into trouble. I have tried so many ways, but I cannot get the total for the columns in this row. The report keeps showing an #Error in the cell. The report saves fine and there is no error in the expr.
The problem seems to come from the fact that there are 2 values for a given day. So in other words, for 5 days, the person has 6 entries. When I try it for a person with only 5 entries, no problem.
I have tried:
Sum(IIF(Sum(Fields!effort_hr.Value)>8.0,8.0,Sum(Fields!effort_hr.Value)))
RunningValue(IIF(Sum(Fields!effort_hr.Value)>8.0,8.0,Sum(Fields!effort_hr.Value)),Sum,Nothing)
I either get an #Error, or I get the wrong total. Is there any way to just get a total for the cell values in the table? The daily numbers are correct, just give me the total at the end (like Excel).
I could do this in the SQL, but that would mess up other parts of this report.
DataSet:
res_name | day_date | effort_hr
J. Doe | Apr 6, 2015 | 2
J. Doe | Apr 6, 2015 | 9
J. Doe | Apr 7, 2015 | 8
J. Doe | Apr 8, 2015 | 7
J. Doe | Apr 9, 2015 | 10
J. Doe | Apr 10, 2015 | 9
REPORT TABLE Layout:
| Apr 6 | Apr 7 | Apr 8 | Apr 9 | Apr 10 | Totals
Total | 11 | 8 | 7 | 10 | 9 | 45
Reg | 8 | 8 | 7 | 8 | 8 | 39
OT | 3 | 0 | 0 | 2 | 1 | 6
Problem:
Row 1 Column Total works great and gives 45 hours ;
Row 2 Column Total either gives #Error, 41, or some other wrong number - just need it to total the actual values of each cell in the row ;
same problem for Row 3 total
Thanks in advance for your time!
Posting another answer as the previous one has become so long.
I referred to this MSDN link, and used the selected answer. Apparently we need to use custom code to achieve this (if you are not willing to change your dataset and have the calculated values in there).
Right click on report --> report properties --> Go to tab 'Code' --> Paste this
Dim public nettotal as Double
Public Function Getvalue (ByVal subtotal AS Double) AS Double
nettotal = nettotal+ subtotal
return subtotal
End Function
Public Function Totalvalue()
return nettotal
End Function
In the row group expression of second row put
= code.Getvalue(IIF(Sum(Fields!Efforts.Value)>8.0,8.0,Sum(Fields!Efforts.Value)))
In the Total cell expression (for second row) put
=code.Totalvalue()
Save and run, you should see following result.
I used your input data and tried to create the report in given format. I used following function for Row 2 Total
=Sum(IIF(Fields!Efforts.Value>8.0,8.0,Fields!Efforts.Value),"DataSet1",Recursive)
This shows sum as 39 for second row. You can try and let me know if it works for you. If it doesn't I will list the exact steps how I created Matrix and groups.
Note: Don't forget to put your dataset name in the second argument of function Sum. And Recursive, as clear by name, applies Sum recursively for the group.
Update: I followed following steps.
1. Add a Matrix on the report.
2. Under Column group section on Matrix, Select any column name from the dataset. (Otherwise it won't show any columns in the next step)
2. Right click Column --> Add Group --> (Under column group) Add Parent Group. Select Day as Group By --> OK. It will create a new row. Put expression Sum(Efforts) in first row. And your expression =IIF(Sum(Fields!Efforts.Value)>8.0,8.0,Sum(Fields!Efforts.Value)) in the second row.
Right click on the column group section in the group pane --> Select Add Total --> After. It will add new column at the end of Matrix. Put expression Sum(Efforts) in first row and expression =Sum(IIF(Fields!Efforts.Value>8.0,8.0,Fields!Efforts.Value),"DataSet1",Recursive) in the second row.
Save and run you should see following in the report.
Remember to change the names of columns and dataset as par your code.
This is an idea on how to do such grouping, obviously you'd need to do changes for the headers and the 3rd row etc.
HTH.