Solved: Combining stats output with eval

brutecat · ‎06-22-2015

Some advice on something I would have thought to be easy.

I have a field called Elapsed. I want to calculate the number of events in a window of two hours, divide this count by 7200 (the number of seconds in 2 hours) and multiply this by the average value of Elapsed divided by 1000 over this two hours. I then want to send this evaluated result to a timechart. Here is my current search:

index=ediinter Elapsed>0 | bucket _time span=2h | stats avg(Elapsed) as Residence, count as Total |  eval queue=((Total/7200)*(Residence/1000)) |  timechart span=2h first(queue) as Queue

but this produces no results

What am I filtering out?

Thanks,

Stan

HiroshiSatoh · ‎06-22-2015

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

View solution in original post

HiroshiSatoh · ‎06-22-2015

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

brutecat · ‎06-23-2015

Hi HiroshiSatoh,

Great. Thanks very much. I had assumed this was the default.

Regards,

Stan

Combining stats output with eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation