topic Re: Splunk AVG Query in Splunk Search

Splunk AVG Query

rai4shambhavi — Fri, 06 Aug 2021 08:30:17 GMT

I am consuming some data using an API, I want to calculate avg time it took for all my customer, after each ingestion (data consumed for a particular customer), I print a time matrix for that customer.

timechart span=24h avg(total_time)

Now to calculate average I cannot simply extract the time field and do avg(total_time), because if customerA completes ingestion in 1 hour, and customerB takes 24 hours, customer A will be logged 24 times and B will be logged once, giving me inaccurate results and bringing down the average.

How do I create a filter let's say time duration is 7 days, so I get only those log lines for a particular customer which has the maximum total_time over a period of 7 days. i.e one log line per customer that has max total_time over a period of 7 days for that particular customer.

Re: Splunk AVG Query

ITWhisperer — Fri, 06 Aug 2021 08:52:36 GMT

timechart span=24h avg(total_time) by customer

How are you getting 24 events for customerA if they only ingested once?

Re: Splunk AVG Query

rai4shambhavi — Fri, 06 Aug 2021 09:04:33 GMT

The ingestion time for customer A is let's suppose close to 1 hour, so in 24 hours there will be 24 events logged, let's say 50mins, 61mins, 54 mins ... and so on, so there will be 24 events for customer A, customer B takes roughly 24 hours and got ingested once, so now i want the avg (max(customerA), max(customer B)) over a certain period of time let's say 7 days

Re: Splunk AVG Query

rai4shambhavi — Fri, 06 Aug 2021 09:05:56 GMT

The process is cyclic and continuous, it keeps happening again and again

Re: Splunk AVG Query

ITWhisperer — Fri, 06 Aug 2021 09:26:09 GMT

| timechart span=24h max(total_time) as max_time by customer | stats avg(max_time) as average by customer

Re: Splunk AVG Query

rai4shambhavi — Fri, 06 Aug 2021 09:45:46 GMT

The timechart part works. But adding stats line after that doesn't give any visualization and stats

Re: Splunk AVG Query

ITWhisperer — Fri, 06 Aug 2021 11:51:05 GMT

I am not exactly sure what you are trying to visualise. Is it like a rolling average of the daily maximums, or a cumulative average i.e. average from the start to each day, or something like that?

Re: Splunk AVG Query

rai4shambhavi — Fri, 06 Aug 2021 12:05:55 GMT

if I have 10 customers A, B, C and so on, each customer is doing it's own ingestion at it's own speed, after each ingestion, each customer will produce a log line. This process is cyclic and continuous, so let's suppose A completed ingestion 10 times in 24 hours, B completed ingestion 5 times in 24 hours and so on... what I want is

avg(max time taken by A , max time taken by B, maximum time taken by C,...... and so on)

Re: Splunk AVG Query

ITWhisperer — Fri, 06 Aug 2021 12:08:34 GMT

OK so the stats needs to get the average for all customers each day

| timechart span=24h max(total_time) as max_time by customer | stats avg(max_time) as average by _time

Re: Splunk AVG Query

rai4shambhavi — Fri, 06 Aug 2021 13:09:20 GMT

I am seeing blank responses

Re: Splunk AVG Query

ITWhisperer — Fri, 06 Aug 2021 14:13:18 GMT

Try it this way around

| bin _time span=24h | stats max(total_time) as max_time by _time customer | timechart span=24h avg(max_time) as average