Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Statistics: Creating Histogram out of a time bucketed Statictic

oldtester
Explorer
‎06-03-2015 08:17 AM

Excited to post my first Splunk question.

I want to perform statistical analysis on API response time that I get from our app server log.

The log format is:
timestamp1 API=<api1> ResponseTime=<R1>
timestamp2 API=<api2> ResponseTime=<R2>
timestamp3 API=<api3> ResponseTime=<R3>
timestamp1 API=<api1> ResponseTime=<R4>
..
..
For a week of data I want to plot the histogram of the hourly average of ResponseTime for api1.

I did the following query:
index=<index> api1|bucket _time span=1h|stats avg(ResponseTime) by _time

Now how do I take the result of the above query and build a histogram?

I did the following:
index=<index> api1|bucket _time span=1h|stats avg(ResponseTime) by _time as X|stats count(X)

But this query seems to be wrong.

Could you please recommend the correct query?

Reply
1 Solution
Solved! Jump to solution
Solution

oldtester
Explorer
‎06-03-2015 09:01 AM

Hi ngatchasandra,

It is not resulting in a series of values to plot a histogram. It is returning a single number(count).
What I am looking for is a frequency chart of hoourly average values .

I did the following:
index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)
It is indeed giving a set of values for the average. Now, how in the search I do a frequency chart of these values?

View solution in original post

Reply
Solved! Jump to solution

oldtester
Explorer
‎06-03-2015 11:31 AM

Looks like it is working!. Just added bins=100 to your query.
index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)|chart count by values(x) bins=100

Reply
Solved! Jump to solution

ngatchasandra
Builder
‎06-04-2015 05:48 AM

Please, you did not give me points . Perhaps it is to you even you have to give the points. Can you correct it?

0 Karma
Reply
Solved! Jump to solution
Solution

oldtester
Explorer
‎06-03-2015 09:01 AM

Hi ngatchasandra,

It is not resulting in a series of values to plot a histogram. It is returning a single number(count).
What I am looking for is a frequency chart of hoourly average values .

I did the following:
index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)
It is indeed giving a set of values for the average. Now, how in the search I do a frequency chart of these values?

Reply
Solved! Jump to solution

ngatchasandra
Builder
‎06-03-2015 09:23 AM

Yes, try with index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)|chart count by values(x)

0 Karma
Reply
Solved! Jump to solution

ngatchasandra
Builder
‎06-03-2015 08:49 AM

Hi oldtester,

Try with index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats count(X) by _time

0 Karma
Reply
Solved! Jump to solution

ngatchasandra
Builder
‎06-03-2015 09:18 AM

Try now with index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)|chart count by values(x)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...