https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177464#M51033 <P>Thanks for the quick response. Not sure how this works, but it does.</P> Fri, 07 Nov 2014 19:23:34 GMT bradj013 2014-11-07T19:23:34Z https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177462#M51031 <P>Splunk=6.1.4</P> <P>My search looks like this:<BR /> | transaction TransID keepevicted=true | search eventcount=2 | timechart limit=0 span=1m max(duration) by host</P> <P>Trying to add an average transaction duration overlay (global not by host) to the chart by adding to the search term: "| eventstats avg(max(duration)) as average | eval average=round(average,0)" and selecting "average" as the overlay value. The overlay is blank.</P> Thu, 30 Oct 2014 19:43:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177462#M51031 bradj013 2014-10-30T19:43:21Z https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177463#M51032 <P>Your search is shooting blanks because there is no field <CODE>duration</CODE> in the results of your <CODE>timechart</CODE>. Try this:</P> <PRE><CODE>... | timechart ... by host | eval _count = 0 | foreach * [eval _count = _count + 1] | addtotals fieldname=_total | eval average = _total / _count </CODE></PRE> <P>Configure the chart to overlay the field <CODE>average</CODE>.</P> Thu, 30 Oct 2014 20:25:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177463#M51032 martin_mueller 2014-10-30T20:25:31Z https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177464#M51033 <P>Thanks for the quick response. Not sure how this works, but it does.</P> Fri, 07 Nov 2014 19:23:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177464#M51033 bradj013 2014-11-07T19:23:34Z https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177465#M51034 <P>Heh. A little walk-through: You have fields named after your hosts, so you can't access one field called <CODE>duration</CODE>. Calculating an average is the same as calculating a sum and a count, then dividing the two. That's what I'm doing here:</P> <UL> <LI>set up the counter</LI> <LI>count how many fields (hosts) you have</LI> <LI>sum up the values</LI> <LI>divide the two</LI> </UL> <P>All that is done with <CODE>_fieldnames</CODE> starting with an underscore, so there's no need to hide them using <CODE>fields - _count _total</CODE> because the chart doesn't see them anyway... yeah, I'm lazy.</P> Fri, 07 Nov 2014 19:42:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177465#M51034 martin_mueller 2014-11-07T19:42:10Z https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177466#M51035 <P>Laziness in success drives efficiency.</P> Wed, 05 Aug 2015 22:30:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-an-average-transaction-duration-overlay-to-a/m-p/177466#M51035 landen99 2015-08-05T22:30:03Z