Splunk Search

How to find the average, min, and max values per minute for a 7 day search?

tkwaller
Builder

I'm trying to find the avg, min, and max values of a 7 day search over 1 minute spans.

For example:

index=apihits app=specificapp earliest=-7d

I want to find:
1. what is the max per minute
2. what is the avg per minute
3. what is the lowest per minute

I know it uses min(field), max(field) and avg(field), but for the life of me I can't get it to work. Can someone please tell me what I'm doing wrong?

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.

index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg 

Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count

View solution in original post

somesoni2
Revered Legend

Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.

index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg 

Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count

View solution in original post

zebu14
Explorer

Hello,

And if I want to do so on a 7 day timechart (the max, min and avg value, for each day of the last 7 days)
How do I modify this request please ?

Moreover, the above solution (the first one) gives me a chart with only two columns :
max column
avg column
... but min is on absciss axis ans is not shown as a dedicated column.

I have to hover my mouse onto one of the columns to see the min value (or look in the table below)

Any idea ?

Thank you

0 Karma

tkwaller
Builder

Of course, that exactly what I left out, count by _time. Thanks for the help. My brain is just burnt for today.

0 Karma

jensonthottian
Contributor

index=apihits app=specificapp earliest=-7d |bucket _time span=1m|stats count as somename, avg(field) as AvgValue
min(field) as MinValue max(field) as MaxValue by somefield

Since you want it by minute, the key is bucket all data in per minute.

richgalloway
SplunkTrust
SplunkTrust

What have you tried so far? We can't say what you're doing wrong without knowing what you are doing.

---
If this reply helps you, an upvote would be appreciated.

tkwaller
Builder

This is what I was trying to do:

index=apihits app=specificapp earliest=-7d | bucket _time span=1min | stats count AS totalCalls, avg(totalCalls) AS AvgCallPerMin, min(totalCalls) AS MinCallsPerMin, max(totalCalls) AS MaxCallsPerMin
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!