How to aggregate data in an index

New Member

Right now we receive and store several data points per second in an index and do reporting on it.
In the future we would like to aggregate this data by calculating the average value of all data points (integer values) per minute and store it in a seperate index,
How do you do this?

0 Karma



you could try:

index=source_index | timechart span=1minute avg(your_integer_field) AS your_integer_field |  collect index=destination_index

Check out the collect command:

Greetings Chris

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!