Splunk Search

How to change my stats avg(x) search to an hourly timechart ?

pavanae
Builder

Hi

I have the following search which displays the Average of a field, but I am trying to put a time chart in hourly which shows the average of that particular hour.

…..My Search……|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | stats count by amount | where amount > 0 | stats avg(amount) as average
How to modify my search to display the hourly average count?

Any help or Suggestions?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could use this:

... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc

This will count the events per hour and the number of different amount values to then compute the average.

Alternatively, you could do this:

... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average

Note, I've changed avg(amount) to avg(count), not sure if that was intentional in your question or not.

View solution in original post

tedwroks
Explorer

It sounds like all you want is:

... My Search ...|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | timechart span=1h avg(amount)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could use this:

... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc

This will count the events per hour and the number of different amount values to then compute the average.

Alternatively, you could do this:

... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average

Note, I've changed avg(amount) to avg(count), not sure if that was intentional in your question or not.

pavanae
Builder

Hi everything seems good but it was giving the wrong average.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If both don't produce results you like then please do post sample data along with intended results.

0 Karma

pavanae
Builder

Thanks Martin both searches worked great my mistake.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try to use Martin's 2nd query with avg(amount) in the timechart.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...