How to create a timechart with min, max, average a...

shasha97 · ‎03-19-2024

I have written this query:

index=index_name (log.event=res OR (log.event=tracing AND log.operationName=query_name)) | timechart span=1m avg(log.responseTime) as AvgTimeTaken, min(log.responseTime) as MinTimeTaken, max(log.responseTime) as MaxTimeTaken count by log.operationName

My results look like this:

_time	AvgTimeTaken: NULL	MaxTimeTaken: NULL	MinTimeTaken: NULL	count:query_name	count: NULL	count:query_name
2024-03-18 13:00:00				0	0	0

I want to understand what the :NULL means, and also how I can get the query to display all values. Secondly, the count is getting displayed for query_name that is similar to the query_name in my query string. I wanted to get an exact match on the query_name. Can someone please help me with this?

Thanks!

PickleRick · ‎03-19-2024

If you specify multiple aggregation functions for timechart by some field, it creates separate data series for each aggregation function and the field value. In the case of :NULL these are stats for events where the field value is empty (I suspect that for log.event=res there is no field log.operation).

How to create a timechart with min, max, average and count values?

stats

table

timechart

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio