Hi I'm looking to create a graph to show the moving 'average time' for multiple events.
The initial search is :
index=wpap host=ukdc*-pc-apa* source="E:\LogFiles\NotificationsManager\Operations.log" | search "Notification Complete"
Within this events there is a key 'totalDuration=9563'
This duration is in seconds for the 'notification process to complete.
I would like to show the moving average for all 'Notification complete' events using the 'TotalDuration' time over a 5 minute period.
Please help!
We just did this for a very similar case. https://answers.splunk.com/answers/522301/how-to-create-and-calculate-a-response-time-graph.html
Here's the version for splunk 6.4+...
earliest=-16m@m
index=wpap host=ukdc*-pc-apa*
source="E:\\LogFiles\\NotificationsManager\\Operations.log"
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| streamstats time_window=5m avg(totalDuration) as avgDuration
| addinfo
| bin info_max_time as maxtime span=10s
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration
Here's a version for earlier versions of splunk...
earliest=-16m@m
index=wpap host=ukdc*-pc-apa*
source="E:\\LogFiles\\NotificationsManager\\Operations.log"
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| eval timefan=mvrange(0,300,10)
| stats avg(totalDuration) as avgDuration by _time
| addinfo
| bin info_max_time as maxtime span=10s
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration
Both of the above present the trailing 5-minute moving average for events from ten minutes ago to the present, in 10-second increments.
We just did this for a very similar case. https://answers.splunk.com/answers/522301/how-to-create-and-calculate-a-response-time-graph.html
Here's the version for splunk 6.4+...
earliest=-16m@m
index=wpap host=ukdc*-pc-apa*
source="E:\\LogFiles\\NotificationsManager\\Operations.log"
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| streamstats time_window=5m avg(totalDuration) as avgDuration
| addinfo
| bin info_max_time as maxtime span=10s
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration
Here's a version for earlier versions of splunk...
earliest=-16m@m
index=wpap host=ukdc*-pc-apa*
source="E:\\LogFiles\\NotificationsManager\\Operations.log"
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| eval timefan=mvrange(0,300,10)
| stats avg(totalDuration) as avgDuration by _time
| addinfo
| bin info_max_time as maxtime span=10s
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration
Both of the above present the trailing 5-minute moving average for events from ten minutes ago to the present, in 10-second increments.
thanks that's working great, I used the search just before the 'Where' parameter as it was showing 'null data'
Thanks this is just what I need to work with.
Paul