I am trying to create a radial gauge chart to display a particular event rate. Without aggregation the chart shows up but once i add avg by a timespan the chart becomes blank.
index="my_index"
"My Log"
| bin _time span=1m
| stats avg(count) by _time as rpm
| gauge rpm 50 100 150 200 250
This query shows the chart but I want the rate not count.
index="my_index"
"My Log"
| stats count as rpm
| gauge rpm 50 100 150 200 250
@asubramanian what you are trying to do is not quite clear from your question and SPL shared. If you want to get average rate of your logs for selected time range aggregated together in the span of 1 min, you should use timechart first with span=1min and then perform average. For example: following run anywhere example is based on Splunk's _internal index. It gets data for last 60 min and performs a count of "INFO" logs every minute. It then performs an average of the same using stats (PS: timechart here will be of no use if the viz. is supposed to be Gauge).
index="_internal" sourcetype="splunkd" log_level="INFO" earliest=-60min
| timechart count span=1min
| bin _time span=1min
| stats avg(count) as rpm
| gauge rpm 50 100 150 200 250
Please try out and confirm!
looks like I was using the new field assignment wrong. "Simple: stats (stats-function(field) [AS field])... [BY field-list]"
moving by towards the end worked.
Can you please elaborate why should i use timechart here before evaluating and how the avg is calculated there.
First off I had assumed that count
is actually not a field that exist in your data so you would not have been able to perform avg(count) on your raw data. But seems like count is an actual field. However, besides that there is another reason for performing time chart first. Which depends on your actual use case and choice of Gauge visualization.
With radial gauge you can show only one value against various ranges you have defined.
Which is why, if your use case is to get the avg rpm for total count of every minute of data for the selected time period then you should bucket the count every minute and do a final average which is why I have used timechart of count per minute for selected time period and then performed final stats for average.
What you are doing is creating a trend of every minute of average count for selected time range. But showing the latest minute of average value in the Radial Gauge as it selects only the first value (not the entire trend). If this is the actual use case you can actual run the query for last 60 seconds and perform average and the output should be the same.
Hope the difference makes sense.