TimeChart from 2 datasource.

SplunkBaby · ‎02-16-2014

Hi
I have 2 data source say DS1 and DS2.
There is a common field called EMPID for this two data source.
I want to generate a report based on below conditions.
Want to get the time chart with average for all EMPID’s on Y axis and _time on X axis.
average in my case is calculated based on below conditions.
Average=sum(field1) from DS1( dataource1)/sum(field2)from DS2(dataource2).
I tried and generated up to below. But I don’t know how to get the desired result from this,
Can anybody help me pls.

kristian_kolb · ‎02-16-2014

At the moment your search does not really deal with the _time element. And it also has a join, which seems a bit unecessary.

Have you considered making a timechart without the join?

your search for events | timechart span=1h sum(field1) as sum_1 sum(field_2) as sum_2 | eval ratio = sum_1/sum_2 | fields + ratio, _time

Then select the "visualization" tab in the search results.

/K

SplunkBaby · ‎02-17-2014

The purpose of join is to get the group of employee id's.
Ex:
for consider empid=10 present in both data source.
In DS1 sum(field1) will be 20 and in DS2 sum(field2) is 10.
I want to get the average for empid 10.
Likewise I want to get the result for all employee Ids present in both DataSourcec in a single search.

TimeChart from 2 datasource.

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!