We are having trouble properly rolling up web access logs to show a macro view of Mb/Sec (megabits per second). We are creating summary indexed data in 10-minute buckets that has the total bytes transferred in that window, collected in a field named NumBytes. We have a panel on a dashboard that should take those individual data points and display appropriate "rolled up" data points based on the automatic bucketing that Splunk does - for example, if we show a report for Last 7 Days, Splunk will roll everything up into 7 separate 1-day cells. So we're looking for the right search to sum all of the NumBytes values, and the total duration of the Splunk-created bucket on the timechart (86400 seconds in my example), and produce the sum(NumBytes)/"bucket duration" for each cell on the chart.
The search we have so far is as follows
| eval Duration=info_max_time-info_min_time
| stats sum(NumBytes) as TotalBytes, sum(Duration) as TotalWallTime by _time,Server
| eval TotalMb=(TotalBytes*8)/1024/1024 | eval MbSec=(TotalMb)/(TotalWallTime)
| timechart sum(MbSec) by Server
The thinking is Duration is how to get the size of each summary bucket without hardcoding it; the sum(NumBytes) will collect all the bytes from the summary buckets into larger cells; the sum(Duration) will do the same for time, then we calculate Mb/Sec using standard math and display it in a timechart. There are 2 problems as far as we can tell
we are doing the Mb/Sec calculation before the data is rolled up by the timechart
we don't know an appropriate func() to use in the timechart operation -- sum() is there now but is clearly inappropriate, as are first(), avg(), etc. I think if we know the answer to #1 then it will be obvious what to do here in #2
| timechart eval(sum(TotalMb) / sum(TotalWallTime)) by Server
Eval expressions in timechart take a little getting used to, but this will do all the math inside timechart like you want. (Note that if there was no 'by Server' there, you'd have to do an 'as MBps' after the expression; timechart forces you to pick a fieldname to replace the eval expression. )
I'll ping Splunk docs because now that you mention it, 'eval' is not listed under 'functions for stats, chart and timechart' and that seems odd. This may be why people rarely find out about it. 😃
You also may want to look into the addinfo command. Because rather than adding up all the little durations and then summing them into a single large duration, addinfo can effectively give you the search timerange, even though it's summary indexed data you're searching.