Solved: Re: TimeChart for average function avg()

DPOIRE · ‎03-28-2023

I have this search that is working and returning a average Delay value:

Search Command

| eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z")
| stats range(epoch_timestamp) as Delay by "logId"
| stats avg(Delay)

However, I want to display the daily averages in a timechart graph to see the performance evolution by day.
Tried the following based on research but It does not return Statistic or Vizualization values (just returning events):

Search Command

| eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z")
| stats range(epoch_timestamp) as Delay by "logId"
| bucket _time span=1d
| stats avg(Delay) as Performance by _time

ITWhisperer · ‎03-28-2023

| eval Performance=if(Performance == 0,null(),Performance)

View solution in original post

DPOIRE · ‎03-28-2023

Thanks, appears to partially work.
You provided the solution to my question.
However, I have this result now where Sunday is returning a zero value which is screwing up the results and trend.
How can I remove these from the results and graph?

ITWhisperer · ‎03-28-2023

| eval Performance=if(Performance == 0,null(),Performance)

ITWhisperer · ‎03-28-2023

Try something by this

| eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z")
| stats range(epoch_timestamp) as Delay max(_time) as _time by "logId"
| bucket _time span=1d
| stats avg(Delay) as Performance by _time

How to TimeChart for average function avg()?

stats

timechart

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services