Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining stats output with eval

brutecat
Path Finder
‎06-22-2015 11:39 PM

Some advice on something I would have thought to be easy.

I have a field called Elapsed. I want to calculate the number of events in a window of two hours, divide this count by 7200 (the number of seconds in 2 hours) and multiply this by the average value of Elapsed divided by 1000 over this two hours. I then want to send this evaluated result to a timechart. Here is my current search:

index=ediinter Elapsed>0 | bucket _time span=2h | stats avg(Elapsed) as Residence, count as Total |  eval queue=((Total/7200)*(Residence/1000)) |  timechart span=2h first(queue) as Queue

but this produces no results

What am I filtering out?

Thanks,

Stan

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎06-22-2015 11:57 PM

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

View solution in original post

Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎06-22-2015 11:57 PM

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

Reply
Solved! Jump to solution

brutecat
Path Finder
‎06-23-2015 01:31 AM

Hi HiroshiSatoh,

Great. Thanks very much. I had assumed this was the default.

Regards,

Stan

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...