topic Re: How to get average count of one field by day as a line chart in Splunk Search

How to get average count of one field by day as a line chart

vmvd — Tue, 02 Mar 2021 23:15:04 GMT

I have events that contain a userId field and I would like to make a line chart to visualize the average count per day of that field. How can I do this?

So far I have tried the following and a couple other arrangements but nothing is working.

index=foo | stats count by userId, _time | timechart avg(count)

(I am using Splunk enterprise 6.5.1. btw)

Re: How to get average count of one field by day as a line chart

richgalloway — Wed, 03 Mar 2021 01:22:21 GMT

Those commands (and those that follow) should work on your antique version of Splunk, but you really should upgrade soon.

"Nothing is working" is not helpful as a problem statement. Describe the output and how it fails to meet expectations.

The fix could be something simple like adding "by userId" to the timechart command (which worked for me), or something more complex. It depends on what results you want.

Re: How to get average count of one field by day as a line chart

vmvd — Wed, 03 Mar 2021 17:35:41 GMT

When I plug this query into splunk and go to visualization and select line chart, I get a flat line. Under the visualization it shows _time as a column and avg(count) as a column. Under _time it lists days. Under avg(count) it lists1.0000 for every day.

The visualization shows a flat line, but should be varying because the avg(count) of the userId should not be 1.0000 every day. It varies but tends to be around 6.

Adding "by userId" to the end of the query creates a column for every userId, and there are thousands. I do not want a line for every userId.

I have tried taking _time out so that by query is "index=foo | stats count by userId | timechart avg(count)" but then I get "No results found". There are events that should be found however.

Re: How to get average count of one field by day as a line chart

richgalloway — Wed, 03 Mar 2021 18:40:36 GMT

The timechart command requires the _time field so stats must always be by that field.

I suspect what is happening is each userId event has a unique timestamp so the stats command is producing a count field of only 1. The fix for that is the bin command.

index=foo | bin span=1d _time | stats count by userId, _time | timechart span=1d avg(count) as AvgCount