Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can you search and display moving averages as a function of time?

acemel
New Member
‎12-20-2016 12:40 PM

The search below produces a timechart with 8 sets (trends) of values (Efficiency), one trend for each of 8 positions labeled 1 to 8. The streamstats command adds 8 additional trends showing the moving average Efficiency for each of the 8 positions - AVG(1) to AVG(8).

index="8s_perf_mon" Machine= 5001 Position>=1 AND Position<=8
| timechart span=12h values(eval(if(Efficiency=0, null(),Efficiency))) by Position 
| streamstats AVG

I want to show only the 8 moving average trends so I added "|table AVG*" command as shown below. This removes trends 1-8 but shows only AVG(2) to AVG(8). AVG(1) ended up as the x-axis label of time. The AVG(2) to AVG(8) trends did not seem to change after removing trends 1-8.

index="8s_perf_mon" Machine= 5001 Position>=1 AND Position<=8
| timechart span=12h values(eval(if(Efficiency=0, null(),Efficiency))) by Position 
| streamstats AVG 
|table AVG*

Does anyone know why AVG(1) trend was left out and ended up as the x-axis? How can I display all 8 sets of moving averages as a function of time?

Thanks for any help!

0 Karma
Reply

somesoni2
Revered Legend
‎12-20-2016 02:01 PM

Your original query, before streamstats, was a timechart query with _time as first column (for x-axis) and 1-8 as trend columns. Using | table AVG* you're removing the _time field as well, hence the chart visualization is treating first column AVG(1) as x-axis value. Just include the _time as well in your table command

 index="8s_perf_mon" Machine= 5001 Position>=1 AND Position<=8
 | timechart span=12h values(eval(if(Efficiency=0, null(),Efficiency))) by Position 
 | streamstats AVG 
 |table _time AVG*
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...