Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get Stats from Search and Average?

jpsquires
New Member
‎08-19-2019 12:14 PM

This is probably quite simple and I am missing something..
i am using this search. 

index=sxxx sourcetype=sxxx host=xyz  source="C:\\mydata" |Dedup _time|table _time, host, username, SimulatorProcess, ProcessTime

I have the following search result

08/19/2019 16:44:34,136Z INFO  user[XXXX] tid[ 1] [(null)]: ProcessSimulationResults took: 1.1204099 seconds

i did a field extraction to get the username, what the process is and the time. I would like to put these in a table and average them out. Search has 4 results but when i put into a table i get many null results.
what is the best way to display and average these out. Would also like to have a single display of the averages over day/week/month.

thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

solarboyz1
Builder
‎08-19-2019 12:43 PM

Here's how to get the average processTime by user, host, and SimulatorProcess:

index=ixxx sourcetype=sxxx host=xyz source=xxx 
|  stats  avg(ProcessTime) as avgProcessTime  by host, username, SimulatorProcess
| table host, username, SimulatorProcess, avgProcessTime

You can also do this over time:

index=ixxx sourcetype=sxxx host=xyz source=xxx 
|  timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts  by SimulatorProcess

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

solarboyz1
Builder
‎08-19-2019 12:43 PM

Here's how to get the average processTime by user, host, and SimulatorProcess:

index=ixxx sourcetype=sxxx host=xyz source=xxx 
|  stats  avg(ProcessTime) as avgProcessTime  by host, username, SimulatorProcess
| table host, username, SimulatorProcess, avgProcessTime

You can also do this over time:

index=ixxx sourcetype=sxxx host=xyz source=xxx 
|  timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts  by SimulatorProcess
0 Karma
Reply
Solved! Jump to solution

jpsquires
New Member
‎08-20-2019 07:23 AM

Excellent.. Thank you for the assist.

0 Karma
Reply
Solved! Jump to solution

jpsquires
New Member
‎08-19-2019 12:19 PM

Stats count by _Time, host, username, SimulatorProcess, ProcessTime gives me a good chart. Now to average

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...