Solved: Piping from 'map' to get average as a single numbe...

winknotes · ‎03-07-2023

I'm using the map command to iterate through a list of devices and forecasting some of the metrics associated with each device. That's all working but what I really want is to then average the returned results down to a single number per device.

The query returns 104 rows per device. I want to be able to average them as a single number per device but no matter what I pipe to it simply returns all of the data.

I'd appreciate some guidance on making this work.

| inputlookup array_stats.csv 
| dedup Array_Name 
| map maxsearches=1000 search="
    inputlookup array_stats.csv 
    | search Array_Name=$Array_Name$
    | timechart avg(IOPS) as avgIOPS avg(ReadRT) as avgReadRT avg(WriteRT) as avgWriteRT values(Array_Name) as ArrayName span=1d
    | predict "avgIOPS" as predIOPS "avgReadRT" as predReadRT "avgWriteRT" as predWriteRT  future_timespan=14 
| eventstats avg(avgIOPS) avg(avgReadRT) avg(avgWriteRT) avg(predIOPS) avg(predReadRT) avg(predWriteRT) by ArrayName"

ITWhisperer · ‎03-07-2023

Does using stats instead of eventstats in the last line help?

View solution in original post

ITWhisperer · ‎03-07-2023

Does using stats instead of eventstats in the last line help?

winknotes · ‎03-08-2023

Yes it did!! I could have sworn I tried that before but I guess not. Thank you for the help.

Piping from 'map' to get average as a single number per device?

troubleshooting

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024