https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540989#M153133 <P>Add the second aggregation to the timechart command</P><P>&nbsp;</P><LI-CODE lang="markup">index= ... |eval Amount=lost_packages |where 2500 &gt; Amount and Amount &gt; 50 |timechart span=24h count(Amount) avg(Amount) aligntime=@d</LI-CODE><P>&nbsp;</P><P>You will probably want to put the average on a separate Y axis to the count - so format the timechart as needed.</P><P>&nbsp;</P> Tue, 23 Feb 2021 10:47:05 GMT bowesmana 2021-02-23T10:47:05Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540984#M153129 <P>Hi,&nbsp;</P><P>I am pretty new to splunk and need help with a timechart.</P><P>I have a timechart, that shows the count of packagelosses &gt;50 per day. Now I want to add an average line to the chart, that matches to the chosen space of time.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index= ... |eval Amount=lost_packages |where 2500 &gt; Amount and Amount &gt; 50 |timechart span=24h count(Amount) aligntime=@d</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Can somebody tell me how i can calculate the average of Amount in the chosen space of time and how I can add the average to the timechart?&nbsp;&nbsp;</P> Tue, 23 Feb 2021 10:25:14 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540984#M153129 schufi01 2021-02-23T10:25:14Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540989#M153133 <P>Add the second aggregation to the timechart command</P><P>&nbsp;</P><LI-CODE lang="markup">index= ... |eval Amount=lost_packages |where 2500 &gt; Amount and Amount &gt; 50 |timechart span=24h count(Amount) avg(Amount) aligntime=@d</LI-CODE><P>&nbsp;</P><P>You will probably want to put the average on a separate Y axis to the count - so format the timechart as needed.</P><P>&nbsp;</P> Tue, 23 Feb 2021 10:47:05 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540989#M153133 bowesmana 2021-02-23T10:47:05Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540992#M153135 <P>I already tried this before. avg(Amount) gives different averages for every single day. My goal is to get one single average for the whole time span. E.g. last month, I had an average of 50 per day (It should just be a straight line).</P> Tue, 23 Feb 2021 10:56:23 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540992#M153135 schufi01 2021-02-23T10:56:23Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540995#M153137 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231793">@schufi01</a>&nbsp;</P><P>Ah, I misunderstood. Then do this</P><LI-CODE lang="markup">index= ... | eval Amount=lost_packages | where 2500 &gt; Amount and Amount &gt; 50 | timechart span=24h count(Amount) as Count sum(Amount) as Total aligntime=@d | eventstats sum(Count) as TotalCount sum(Total) as TotalAmount | eval Average=TotalAmount/TotalCount | fields - TotalCount TotalAmount</LI-CODE><P>This just calculates the TotalCount and TotalAmount for the period and calculates the average</P><P>&nbsp;</P> Tue, 23 Feb 2021 11:36:08 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/540995#M153137 bowesmana 2021-02-23T11:36:08Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541001#M153140 <P>It works now, thank you. However, I would like to change something to get better information. At the Moment I can see how many packages have been lost on average. Is it possible to show the average number of events with Packagelosses &gt;50 in the selected time space?&nbsp;</P><P>For example:&nbsp;</P><P>&nbsp;</P><P>Monday: 3 Losses (with 51,53,55 Packages that have been lost)</P><P>Tuesday: 2 Losses(with 61,63,Packages that have been lost)</P><P>Wednesday: 4 Losses(with 51,53,55,57 Packages that have been lost)</P><P>&nbsp;</P><P>At the moment the average gives me 55.444</P><P>Is it possible, that the average gives me the average number of events per day, which would be 3?&nbsp;</P><P>--&gt;(3+2+4)/3</P><P>&nbsp;</P> Tue, 23 Feb 2021 11:57:08 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541001#M153140 schufi01 2021-02-23T11:57:08Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541006#M153142 <P>I guess the last eval line must be changed.</P><P>&nbsp;</P><P>It should be something like |eval Average= TotalCount/Timespan. But how can I get this working?</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;</P> Tue, 23 Feb 2021 13:10:32 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541006#M153142 schufi01 2021-02-23T13:10:32Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541140#M153186 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231793">@schufi01</a>&nbsp;</P><P>To work out the number of days in your search window, this should do the trick</P><LI-CODE lang="markup">| addinfo | eval days=round((info_max_time-info_min_time)/86400) | eval averagePerDay=TotalCount/days | fields - days info_*</LI-CODE><P>&nbsp;</P> Wed, 24 Feb 2021 09:07:44 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541140#M153186 bowesmana 2021-02-24T09:07:44Z https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541145#M153190 <P>Thank you! It works perfectly <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Wed, 24 Feb 2021 09:17:46 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-average/m-p/541145#M153190 schufi01 2021-02-24T09:17:46Z