Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to achieve difference between rate_sum and rate_avg aggregations using mstats command?

tankelvi
New Member
‎04-20-2023 03:18 AM

Hi,

I am trying to create a timechart using mstats command but I have some questions as follows, I would appreciate it if I am able to get some answers or clarifications on them:

  1. What is the difference between the aggregations which are rate_avg() and rate_sum() when using mstats command?
  2. We observed that no matter which aggregations we are using, the graphs are returning the same result. Example are as follows:
    1. Using rate_avg
      tankelvi_3-1681985404673.png
    2. Using rate_sum
      tankelvi_2-1681985344887.png

Thank you very much.

 

Best Regards,

Kelvin.

 

@ericaooi 

Labels (1)
Labels
0 Karma
Reply

gcasaldi
Explorer
‎04-20-2023 06:59 AM

Hi,
have you tried to see if it depends on the: 
| timechart sum
command?

bye

G.

0 Karma
Reply

tankelvi
New Member
‎05-02-2023 12:52 AM

Hi,

Thanks for the reply. I tried to do the queries in different sets of combinations and the results are as shown in the figure below:

tankelvi_0-1683013566244.png

Based on the result:

1) rate_sum & timechart sum(), rate_avg & timechart sum(), rate_sum & timechart per_minute(), rate_avg & timechart per_minute() all have the same result value.

2) rate_sum & timechart avg(), rate_avg & timechart avg() have the same result value.

3) If solely based on this observation, it seems like there is no difference on whether to use rate_sum or rate_avg to construct the graph

or is there anything that I miss or did wrongly? Any suggestion on how to construct the query to be able to fully utilize the rate_sum and rate_avg under different scenario?

Thanks a lot in advance.

Best Regards,

Kelvin.

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...