Solved: Combining stats output with eval

brutecat · ‎06-22-2015

Some advice on something I would have thought to be easy.

I have a field called Elapsed. I want to calculate the number of events in a window of two hours, divide this count by 7200 (the number of seconds in 2 hours) and multiply this by the average value of Elapsed divided by 1000 over this two hours. I then want to send this evaluated result to a timechart. Here is my current search:

index=ediinter Elapsed>0 | bucket _time span=2h | stats avg(Elapsed) as Residence, count as Total |  eval queue=((Total/7200)*(Residence/1000)) |  timechart span=2h first(queue) as Queue

but this produces no results

What am I filtering out?

Thanks,

Stan

HiroshiSatoh · ‎06-22-2015

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

View solution in original post

HiroshiSatoh · ‎06-22-2015

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

brutecat · ‎06-23-2015

Hi HiroshiSatoh,

Great. Thanks very much. I had assumed this was the default.

Regards,

Stan

Combining stats output with eval

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake