I have results table like below. How can I combine these multivalues per each day such that need to get single value (average) for each day. Now we can see multiple values listed (since we have four servers, 4 values are displayed)
Below is the example we got the results
_time rtlvpxaw01 12/6/2015 -177.0167824 -268.4641204 -85.56944444 5.85474537 12/7/2015 100 12/8/2015 97.27893519 97.42939815 97.57986111 97.62962963
We have used this search:
index=f5 sourcetype=F5 server* F5_MonitorStatus="monitor status up" | convert num(SiloDownHours) | eval SiloDownHours = SiloDownHours * 3600 | convert num(SiloDownMins) | eval SiloDownMins = SiloDownMins * 60 |convert num(SiloDownSecs) | eval SiloDownTotal = (SiloDownSecs + SiloDownMins + SiloDownHours)/2 |streamstats sum(SiloDownTotal) as SiloDownTotal by F5_apache_host |eval PercentUptime = ((86400 - SiloDownTotal)/86400*100) |timechart span=1d values(PercentUptime) by server|fillnull value=100
Hi I don't quite get your query because some special characters have been removed so in future please remember to post queries inside the code tags (simply use the button above with 1s and 0s when editing queries).
Anyway, if all your are trying to do is to calculate the average per day then the following should work:
| bucket _time span=1d | stats avg(yourfield) by _time
You don't even need to use timechart for that.
Thanks, Sure will use going forward. Just come to know about code tags 🙂
This gives me results partially what we expected.
It gives us average value only for the days when server is down,but If server is not down then we need to show value for that particular day as 100.
(This was the reason we have used timechart command and used fillnull=100 when it doesn't return any value)
Hi, then simply go back to timechart but use avg instead of values and then pipe that to your fillnull.
@somesoni2 provided an answer below with that syntax I believe.
Just update the last timechart like this
|timechart span=1d avg(PercentUptime) by server | fillnull value=100