Splunk Search

## How to find the average, min, and max values per minute for a 7 day search? Builder

I'm trying to find the avg, min, and max values of a 7 day search over 1 minute spans.

For example:

``````index=apihits app=specificapp earliest=-7d
``````

I want to find:
1. what is the max per minute
2. what is the avg per minute
3. what is the lowest per minute

I know it uses min(field), max(field) and avg(field), but for the life of me I can't get it to work. Can someone please tell me what I'm doing wrong?

Tags (5)
1 Solution Revered Legend

Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.

``````index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg
``````

Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count Revered Legend

Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.

``````index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg
``````

Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count Explorer

Hello,

And if I want to do so on a 7 day timechart (the max, min and avg value, for each day of the last 7 days)
How do I modify this request please ?

Moreover, the above solution (the first one) gives me a chart with only two columns :
max column
avg column
... but min is on absciss axis ans is not shown as a dedicated column.

I have to hover my mouse onto one of the columns to see the min value (or look in the table below)

Any idea ?

Thank you Builder

Of course, that exactly what I left out, count by _time. Thanks for the help. My brain is just burnt for today. Contributor

index=apihits app=specificapp earliest=-7d |bucket _time span=1m|stats count as somename, avg(field) as AvgValue
min(field) as MinValue max(field) as MaxValue by somefield

Since you want it by minute, the key is bucket all data in per minute.  SplunkTrust

What have you tried so far? We can't say what you're doing wrong without knowing what you are doing.

---
If this reply helps you, an upvote would be appreciated. Builder

This is what I was trying to do:

``````index=apihits app=specificapp earliest=-7d | bucket _time span=1min | stats count AS totalCalls, avg(totalCalls) AS AvgCallPerMin, min(totalCalls) AS MinCallsPerMin, max(totalCalls) AS MaxCallsPerMin
`````` .conf21 Now Fully Virtual!