AVG Count of a error message

123michi19 · ‎03-20-2020

Good morning,

I log different error messages in SPLUNK and want to get the average number of each error message and create an alert for this.

What I tried:
index="" AND http_message="" | timechart avg(http_message)

Unfortunately it doesn't the deliver the excepted screen.

woodcock · ‎03-20-2020

Like this:

index="*" AND http_message="*" 
| timechart count BY http_message
| untable _time http_message count
| stats avg(count) BY http_message

richgalloway · ‎03-20-2020

The avg function requires a numeric field as an argument. Try this query.

index=foo http_message="*"
| stats count by _time, http_message
| timechart avg(count) as avg by http_message

---
If this reply helps you, Karma would be appreciated.

dindu · ‎03-20-2020

Hi,

Please try the below search and let us whether it worked.

       index="" AND http_message="*" 
       |stats count as tot by http_message,_time
       |stats avg(tot) as Average by _time

Are you a member of the Splunk Community?