Splunk Search

How to change my stats avg(x) search to an hourly timechart ?

pavanae
Builder

Hi

I have the following search which displays the Average of a field, but I am trying to put a time chart in hourly which shows the average of that particular hour.

…..My Search……|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | stats count by amount | where amount > 0 | stats avg(amount) as average
How to modify my search to display the hourly average count?

Any help or Suggestions?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could use this:

... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc

This will count the events per hour and the number of different amount values to then compute the average.

Alternatively, you could do this:

... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average

Note, I've changed avg(amount) to avg(count), not sure if that was intentional in your question or not.

View solution in original post

tedwroks
Explorer

It sounds like all you want is:

... My Search ...|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | timechart span=1h avg(amount)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could use this:

... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc

This will count the events per hour and the number of different amount values to then compute the average.

Alternatively, you could do this:

... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average

Note, I've changed avg(amount) to avg(count), not sure if that was intentional in your question or not.

View solution in original post

pavanae
Builder

Hi everything seems good but it was giving the wrong average.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If both don't produce results you like then please do post sample data along with intended results.

0 Karma

pavanae
Builder

Thanks Martin both searches worked great my mistake.

0 Karma

somesoni2
Revered Legend

Try to use Martin's 2nd query with avg(amount) in the timechart.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!