- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get Stats from Search and Average?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is probably quite simple and I am missing something..
i am using this search.
index=sxxx sourcetype=sxxx host=xyz source="C:\\mydata" |Dedup _time|table _time, host, username, SimulatorProcess, ProcessTime
I have the following search result
08/19/2019 16:44:34,136Z INFO user[XXXX] tid[ 1] [(null)]: ProcessSimulationResults took: 1.1204099 seconds
i did a field extraction to get the username, what the process is and the time. I would like to put these in a table and average them out. Search has 4 results but when i put into a table i get many null results.
what is the best way to display and average these out. Would also like to have a single display of the averages over day/week/month.
thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's how to get the average processTime by user, host, and SimulatorProcess:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| stats avg(ProcessTime) as avgProcessTime by host, username, SimulatorProcess
| table host, username, SimulatorProcess, avgProcessTime
You can also do this over time:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts by SimulatorProcess
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's how to get the average processTime by user, host, and SimulatorProcess:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| stats avg(ProcessTime) as avgProcessTime by host, username, SimulatorProcess
| table host, username, SimulatorProcess, avgProcessTime
You can also do this over time:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts by SimulatorProcess
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent.. Thank you for the assist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stats count by _Time, host, username, SimulatorProcess, ProcessTime gives me a good chart. Now to average
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
