https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496989#M138450 <P>Hello Splunk Community,</P> <P>I am trying to create dashboard with the following query but the query returns no results. I am using the query to: <BR /> extract the batch size and duration (they are in different source types. duration is in sourcetype = "AAA"and batch size is in sourcetype = "BBB") than extract the batch size =1, find the duration for that same request by joint both events using transaction ID and search for batch size = 1. But when I add the following line:</P> <P>| timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10 </P> <P>the query return noting. </P> <P>index =ose_index source="<EM>ent-splunk-pyx</EM>" (svc=/service/detokenize AND "duration") OR ("Batch Detokenization Operation, batch size:")<BR /> | rex field=<EM>raw "Batch Detokenization Operation, batch size: (?\d+)" <BR /> | rex field=_raw "txid=(?([a-z0-9</EM>.-]+))"<BR /> | eval duration = round(duration/1000, 3) <BR /> | stats max(duration) as Duration values(Batch_Size) as Batch_Size by ID<BR /> | search Duration=* Batch_Size=1<BR /> | timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10</P> <P>If I remove the last line and use "| stats avg(Duration) " I am getting the avg result but this is not the way I want it. I must use "| timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10" because it is a part of a template that the company is using and I can't change this part. </P> Wed, 30 Sep 2020 04:39:15 GMT dminev1 2020-09-30T04:39:15Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496989#M138450 <P>Hello Splunk Community,</P> <P>I am trying to create dashboard with the following query but the query returns no results. I am using the query to: <BR /> extract the batch size and duration (they are in different source types. duration is in sourcetype = "AAA"and batch size is in sourcetype = "BBB") than extract the batch size =1, find the duration for that same request by joint both events using transaction ID and search for batch size = 1. But when I add the following line:</P> <P>| timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10 </P> <P>the query return noting. </P> <P>index =ose_index source="<EM>ent-splunk-pyx</EM>" (svc=/service/detokenize AND "duration") OR ("Batch Detokenization Operation, batch size:")<BR /> | rex field=<EM>raw "Batch Detokenization Operation, batch size: (?\d+)" <BR /> | rex field=_raw "txid=(?([a-z0-9</EM>.-]+))"<BR /> | eval duration = round(duration/1000, 3) <BR /> | stats max(duration) as Duration values(Batch_Size) as Batch_Size by ID<BR /> | search Duration=* Batch_Size=1<BR /> | timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10</P> <P>If I remove the last line and use "| stats avg(Duration) " I am getting the avg result but this is not the way I want it. I must use "| timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10" because it is a part of a template that the company is using and I can't change this part. </P> Wed, 30 Sep 2020 04:39:15 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496989#M138450 dminev1 2020-09-30T04:39:15Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496990#M138451 <P>Try rewriting your last line as follows:<BR /> | eval(round(avg(duration),0)) as AVG_Response_Time(ms) | timechart span=5m | search "AVG_Response_Time(ms)" &gt; 10,try rewriting your line as follows:</P> <P>| eval(round(avg(duration),0)) as AVG_Response_Time(ms) | timechart span=5m | search "AVG_Response_Time(ms)" &gt; 10</P> Wed, 30 Sep 2020 04:35:03 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496990#M138451 ttilstra 2020-09-30T04:35:03Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496991#M138452 <P>Try breaking the <CODE>timechart</CODE> command apart.</P> <PRE><CODE>| timechart span=5m avg(Duration) as ART | eval ART=round(ART,0) | where ART &gt; 10 | rename ART as "AVG_Response_Time(ms)" </CODE></PRE> Tue, 17 Mar 2020 16:57:30 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496991#M138452 richgalloway 2020-03-17T16:57:30Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496992#M138453 <P>I did try your suggestion and broke timechart. Still no result for average </P> Tue, 17 Mar 2020 17:04:19 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496992#M138453 dminev1 2020-03-17T17:04:19Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496993#M138454 <P>I missed it the first time. "duration" should be "Duration". Updated my answer.</P> Tue, 17 Mar 2020 17:46:34 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496993#M138454 richgalloway 2020-03-17T17:46:34Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496994#M138455 <P>I noticed this and made the change. Still no result </P> <P>This is what I have now: </P> <P>index =ose_index source="ent-splunk-pyx" (svc=/service/detokenize AND "duration") OR ("Batch Detokenization Operation, batch size:")<BR /> | rex field=<EM>raw "Batch Detokenization Operation, batch size: (?\d+)" <BR /> | rex field=_raw "txid=(?([a-z0-9</EM>.-]+))"<BR /> | eval duration = round(duration/1000, 3) <BR /> | stats max(duration) as Duration values(Batch_Size) as Batch_Size by ID<BR /> | search Duration=* Batch_Size=1<BR /> | timechart span=5m avg(Duration) as ART<BR /> | eval ART=round(ART,0)<BR /> | where ART &gt; 10<BR /> | rename ART as "AVG_Response_Time(ms)"</P> Wed, 30 Sep 2020 04:39:22 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496994#M138455 dminev1 2020-09-30T04:39:22Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496995#M138456 <P>Try this:</P> <PRE><CODE>index =ose_index source="*ent-splunk-pyx*" (svc=/service/detokenize AND "duration") OR ("Batch Detokenization Operation, batch size:") | rex field=_raw "Batch Detokenization Operation, batch size: (?\d+)" | rex field=_raw "txid=(?([a-z0-9_\.-]+))" | eventstats values(Batch_Size) AS Batch_Size BY ID | search duration="*" AND Batch_Size="1" | timechart span=5m eval(round(avg(duration/1000),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" &gt; 10 </CODE></PRE> Wed, 18 Mar 2020 02:07:44 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496995#M138456 woodcock 2020-03-18T02:07:44Z https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496996#M138457 <P>When I run the query I am getting the following error:</P> <P>Error in 'timechart' command: The eval expression has no fields: 'round(avg(duration/1000),0)'.</P> Wed, 18 Mar 2020 12:28:51 GMT https://community.splunk.com/t5/Splunk-Search/Getting-average-response-after-joining-2-sourcetypes/m-p/496996#M138457 dminev1 2020-03-18T12:28:51Z