Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Graph to show averages for moving events over a particular period.

ballyp
Engager
‎04-24-2017 06:32 AM

Hi I'm looking to create a graph to show the moving 'average time' for multiple events.

The initial search is :
index=wpap host=ukdc*-pc-apa* source="E:\LogFiles\NotificationsManager\Operations.log" | search "Notification Complete"

Within this events there is a key 'totalDuration=9563'

This duration is in seconds for the 'notification process to complete.

I would like to show the moving average for all 'Notification complete' events using the 'TotalDuration' time over a 5 minute period.

Please help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-24-2017 04:36 PM

We just did this for a very similar case. https://answers.splunk.com/answers/522301/how-to-create-and-calculate-a-response-time-graph.html

Here's the version for splunk 6.4+...

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| streamstats time_window=5m avg(totalDuration) as avgDuration 
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Here's a version for earlier versions of splunk... 

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| eval timefan=mvrange(0,300,10)
| stats avg(totalDuration) as avgDuration by _time
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Both of the above present the trailing 5-minute moving average for events from ten minutes ago to the present, in 10-second increments.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-24-2017 04:36 PM

We just did this for a very similar case. https://answers.splunk.com/answers/522301/how-to-create-and-calculate-a-response-time-graph.html

Here's the version for splunk 6.4+...

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| streamstats time_window=5m avg(totalDuration) as avgDuration 
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Here's a version for earlier versions of splunk... 

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| eval timefan=mvrange(0,300,10)
| stats avg(totalDuration) as avgDuration by _time
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Both of the above present the trailing 5-minute moving average for events from ten minutes ago to the present, in 10-second increments.

0 Karma
Reply
Solved! Jump to solution

ballyp
Engager
‎04-25-2017 05:42 AM

thanks that's working great, I used the search just before the 'Where' parameter as it was showing 'null data'

Thanks this is just what I need to work with.

Paul

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...