Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a timechart with min, max, average and count values?

shasha97
New Member
‎03-19-2024 11:10 AM

I have written this query:

 

index=index_name (log.event=res OR (log.event=tracing AND log.operationName=query_name)) | timechart span=1m avg(log.responseTime) as AvgTimeTaken, min(log.responseTime) as MinTimeTaken, max(log.responseTime) as MaxTimeTaken count by log.operationName

 

My results look like this:

_time  AvgTimeTaken: NULLMaxTimeTaken: NULLMinTimeTaken: NULLcount:query_namecount: NULL  count:query_name
2024-03-18 13:00:00   000

 

I want to understand what the :NULL means, and also how I can get the query to display all values.  Secondly, the count is getting displayed for query_name that is similar to the query_name in my query string. I wanted to get an exact match on the query_name. Can someone please help me with this?

Thanks!

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-19-2024 02:43 PM

If you specify multiple aggregation functions for timechart by some field, it creates separate data series for each aggregation function and the field value. In the case of :NULL these are stats for events where the field value is empty (I suspect that for log.event=res there is no field log.operation).

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...