Solved: Average Field Value per Second

matthewcanty · ‎05-01-2012

Hi there, I have a problem and think I know the cause. Looking for the work around. I am sending periodic logs to Splunk which contains count information and want to timechart the Fixtures per second. For example:

FeedSource="A" Sport="Football" Fixtures=20

The message is sent every 10 seconds so the fix/ps should be 2. But how can I get this to work across any time frame I am looking at?

So if I am looking at 1 day and each point represents an hour, the count must be divided by 3600. Whereas if I am looking at 1 minute and each point on the graph represents 1 second, the count must be divided by 1.

avg(X) cannot be used because some log messages will contain Fixtures=0 which will bring the average per second down.

Thanks in advance for any help!

Ayn · ‎05-01-2012

Use per_second:

... | stats per_second(Fixtures)

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/CommonStatsFunctions

View solution in original post

Ayn · ‎05-01-2012

Use per_second:

... | stats per_second(Fixtures)

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/CommonStatsFunctions

dennywebb · ‎04-19-2013

This only works on timechart... not stats.

matthewcanty · ‎05-01-2012

Holy moly... feel bad!

Average Field Value per Second

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation