Splunk Search
Highlighted

How to edit my search to get the average for multiple values each day?

Path Finder

Hi,

I have results table like below. How can I combine these multivalues per each day such that need to get single value (average) for each day. Now we can see multiple values listed (since we have four servers, 4 values are displayed)

Below is the example we got the results

_time       rtlvpxaw01
12/6/2015   -177.0167824
             -268.4641204
             -85.56944444
             5.85474537
12/7/2015   100
12/8/2015   97.27893519
             97.42939815
             97.57986111
             97.62962963

We have used this search:

index=f5 sourcetype=F5 server* F5_MonitorStatus="monitor status up"
| convert num(SiloDownHours)
| eval SiloDownHours = SiloDownHours * 3600
| convert num(SiloDownMins)
| eval SiloDownMins = SiloDownMins * 60
|convert num(SiloDownSecs)
| eval SiloDownTotal = (SiloDownSecs + SiloDownMins + SiloDownHours)/2
|streamstats sum(SiloDownTotal) as SiloDownTotal by F5_apache_host
|eval PercentUptime = ((86400 - SiloDownTotal)/86400*100)
|timechart span=1d values(PercentUptime) by server|fillnull value=100
0 Karma
Highlighted

Re: How to edit my search to get the average for multiple values each day?

SplunkTrust
SplunkTrust

Hi I don't quite get your query because some special characters have been removed so in future please remember to post queries inside the code tags (simply use the button above with 1s and 0s when editing queries).

Anyway, if all your are trying to do is to calculate the average per day then the following should work:

| bucket _time span=1d
| stats avg(yourfield) by _time

You don't even need to use timechart for that.

View solution in original post

0 Karma
Highlighted

Re: How to edit my search to get the average for multiple values each day?

Path Finder

Thanks, Sure will use going forward. Just come to know about code tags 🙂

This gives me results partially what we expected.

It gives us average value only for the days when server is down,but If server is not down then we need to show value for that particular day as 100.

(This was the reason we have used timechart command and used fillnull=100 when it doesn't return any value)

0 Karma
Highlighted

Re: How to edit my search to get the average for multiple values each day?

SplunkTrust
SplunkTrust

Hi, then simply go back to timechart but use avg instead of values and then pipe that to your fillnull.
@somesoni2 provided an answer below with that syntax I believe.

0 Karma
Highlighted

Re: How to edit my search to get the average for multiple values each day?

SplunkTrust
SplunkTrust

Just update the last timechart like this

|timechart span=1d avg(PercentUptime) by server | fillnull value=100 
0 Karma
Highlighted

Re: How to edit my search to get the average for multiple values each day?

Path Finder

Thanks , with some changes to the above one we got the results intended.

0 Karma