Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I split my data to show the average based ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
angersleek
Path Finder
12-10-2018
05:19 AM
I am using the following query to split my data to show the average, min, and max based on the fields. But, I seem to be getting a total value instead of a proper split.
Expected outcome: (I am open to ideas if there is a better way of displaying this)
average maximum minimum environment app_name
10 100 2 env 1 service 1
12 180 3 env 1 service 2
13 110 22 env 1 service 3
34 100 21 env 1 service 4
66 290 0 env 1 service 5
10 100 2 env 2 service 1
12 180 3 env 2 service 2
13 110 22 env 2 service 3
34 100 21 env 2 service 4
66 290 0 env 2 service 5
Actual outcome
average maximum minimum environment app_name
134 100 12 env 1 service 1
env 2 service 2
service 3
service 4
service 5
Search used:
some_search=* environment=* some_time=* | chart avg(some_time) as average, max(some_time) as maximum, min(some_time) as minimum, values(environment) as environment, values(app_name)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whrg
Motivator
12-10-2018
05:38 AM
Hi! Use the stats command along with the by clause when charting over multiple fields.
Try it like this:
| stats avg(some_time) as average max(some_time) as maximum min(some_time) as minimum by environment,app_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whrg
Motivator
12-10-2018
05:38 AM
Hi! Use the stats command along with the by clause when charting over multiple fields.
Try it like this:
| stats avg(some_time) as average max(some_time) as maximum min(some_time) as minimum by environment,app_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
angersleek
Path Finder
12-10-2018
06:16 AM
Perfect. Thanks.
Get Updates on the Splunk Community!
Splunk MCP & Agentic AI: Machine Data Without Limits
Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...
Finding Based Detections General Availability
Overview
We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...
Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience
Hands-On Learning and Technical Seminars
Sometimes, you just need to see the code. For those looking for a ...
