Splunk Search

Counting averages

Path Finder

I have data for users running in two modes: Online, and Cached.

I want to get the average number of connections for each type of user over a 1 week period, so that I have a line graph and compare the load on the server for each type of user.

How can I do this? I think I'm way off track...

index=sanindex source="rpc" | timechart span=1h count(client_name)

client_mode is either Online or Cached. client_name is the name of a connecting user.

Thank you

James


Hi, James: Let me add more information about what you're looking for

  • Log Events
   The logs contains
    - client_mode: Classic, Cached, etc...
    - client_name: 100s of different values 

   Each client_name is with either "client_mode=Classic" or "client_mode=Cached" 
  • What to achieve

    1. Count of each client_user every hour in the past one week
    2. Average the count of all the client_user per hour in the past one week
    3. Compare the averaged user's client_mode, Classic and Cached, in order to see one "average" user's mode.
Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

index=sanindex source="rpc" client_mode=Classic OR client_mode=cached earliest=-30d@d latest=@d 
  | bucket _time span=1h 
  | stats count by _time, client_name, client_mode 
  | timechart avg(count) by client_mode

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

index=sanindex source="rpc" client_mode=Classic OR client_mode=cached earliest=-30d@d latest=@d 
  | bucket _time span=1h 
  | stats count by _time, client_name, client_mode 
  | timechart avg(count) by client_mode

View solution in original post

0 Karma

Path Finder

Thanks gkanpathy, but not quite.

I'd like to compare the average number of connections of each type, per day. So I take the average count of entries per day for client_mode=Cached, and the average count of entires per day where client_mode=Online, and then I can compare the two in a line graph.

Thank you for your help.

0 Karma

Splunk Employee
Splunk Employee
index=sanindex source="rpc" client_name=* | timechart span=1h count by client_mode
0 Karma