Splunk Search

How to create average duration over time overlay in timechart

kmedara
Engager

I have a time chart that displays the average duration of calls for each day in the time range, the time range is set with a time picker. The call duration is parsed out using the rex command.

rex field=_raw "Duration : (?<hh>\d+):(?<mm>\d+):(?<ss>\d+\.\d+)" | eval dur = (hh * 3600) + (mm * 60) + ss | timechart span=1d avg(dur)

The current results look like:

alt text

I am looking for something like this with the dashed line like so:

alt text

1 Solution

adonio
Ultra Champion

please elaborate, what will be the data populating the chart overlay?
try this search anywhere, in the case you are perusing some sort of running average:

| gentimes start=-7 increment=2h
| eval _time = starttime 
| eval duration = random()%1000 + 3000
| sort - _time
| timechart span=4h avg(duration) as avg_dur
| streamstats time_window=24h avg(avg_dur) as dur_running_avg

View solution in original post

0 Karma

adonio
Ultra Champion

please elaborate, what will be the data populating the chart overlay?
try this search anywhere, in the case you are perusing some sort of running average:

| gentimes start=-7 increment=2h
| eval _time = starttime 
| eval duration = random()%1000 + 3000
| sort - _time
| timechart span=4h avg(duration) as avg_dur
| streamstats time_window=24h avg(avg_dur) as dur_running_avg
0 Karma

kmedara
Engager

streamstats avg(avg_dur) was exactly what I needed, thank you

0 Karma

adonio
Ultra Champion

cool,

converting to an answer, kindly accept it so other will know it worked for you

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...