Taking the game up another level, the ability to use eval statements within Timechart increases flexibility immensely. Suppose you have a health page where you can look at one server out of twenty, or one partner out of seven, or any other scenario where
you're comparing one fungible element to the average of others. Without using eval in timechart, you'd probably end up needing to do a search for your server, and then appendcols a search for all the others, and eval the math afterward. That would work, but you'd end up going over the same time period twice, which is inefficient.
But there's a better way!
index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d
| eval MB=kb/1024
| bucket _time span=1d
| stats sum(MB) as MB by series, _time
| timechart span=1d sum(eval(if(series="_internal",MB,0))) as InternalIndexed, sum(eval(if(series!="_internal",MB,0))) as AllOthersIndexed
| eval PercentOfTotal = tostring(round((InternalIndexed/AllOthersIndexed)*100,2)) . "%"
This will first look calculate the daily sum for each (this is one of the scenarios where you need to use Timechart versus Stats�for the details.
Ready for more? Check out:- Basic Syntax
- Advanced Statistics
- Analyzing Trends�(Comparing Summarized Hours, Days, or Etc.)
- Using Eval Within Timechart (or how to make your searches 20 times more performant)
- Timechart versus Stats