Solved: Average Field Value per Second

matthewcanty · ‎05-01-2012

Hi there, I have a problem and think I know the cause. Looking for the work around. I am sending periodic logs to Splunk which contains count information and want to timechart the Fixtures per second. For example:

FeedSource="A" Sport="Football" Fixtures=20

The message is sent every 10 seconds so the fix/ps should be 2. But how can I get this to work across any time frame I am looking at?

So if I am looking at 1 day and each point represents an hour, the count must be divided by 3600. Whereas if I am looking at 1 minute and each point on the graph represents 1 second, the count must be divided by 1.

avg(X) cannot be used because some log messages will contain Fixtures=0 which will bring the average per second down.

Thanks in advance for any help!

Ayn · ‎05-01-2012

Use per_second:

... | stats per_second(Fixtures)

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/CommonStatsFunctions

View solution in original post

Ayn · ‎05-01-2012

Use per_second:

... | stats per_second(Fixtures)

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/CommonStatsFunctions

dennywebb · ‎04-19-2013

This only works on timechart... not stats.

matthewcanty · ‎05-01-2012

Holy moly... feel bad!

Average Field Value per Second

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!