Re: How to create a timechart with min, max, avera...

shasha97 · ‎03-19-2024

I have written this query:

index=index_name (log.event=res OR (log.event=tracing AND log.operationName=query_name)) | timechart span=1m avg(log.responseTime) as AvgTimeTaken, min(log.responseTime) as MinTimeTaken, max(log.responseTime) as MaxTimeTaken count by log.operationName

My results look like this:

_time	AvgTimeTaken: NULL	MaxTimeTaken: NULL	MinTimeTaken: NULL	count:query_name	count: NULL	count:query_name
2024-03-18 13:00:00				0	0	0

I want to understand what the :NULL means, and also how I can get the query to display all values. Secondly, the count is getting displayed for query_name that is similar to the query_name in my query string. I wanted to get an exact match on the query_name. Can someone please help me with this?

Thanks!

PickleRick · ‎03-19-2024

If you specify multiple aggregation functions for timechart by some field, it creates separate data series for each aggregation function and the field value. In the case of :NULL these are stats for events where the field value is empty (I suspect that for log.event=res there is no field log.operation).

How to create a timechart with min, max, average and count values?

stats

table

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation