Splunk Search
Highlighted

How to get an average from this search?

New Member

I'm using the following search which I have working in a dashboard.

"A PUT was made to OpenAAA API - Status: OK"
| spath AppID | search AppID=200296 Environment=prod | timechart count by Environment|

It displays the # of events for each day without issue.

But how can I get the average # of events for the same 7-day time frame?

Any help would be greatly appreciated!

0 Karma
Highlighted

Re: How to get an average from this search?

Motivator

Hello there, have you try
... | timechart avg(count) as avgCount by Environment span=1d

0 Karma
Highlighted

Re: How to get an average from this search?

New Member

Thank you @alemarzu
I just tried "A PUT was made to OpenAAA API - Status: OK" | spath AppID | search AppID=200296 Environment=prod |timechart avg(count) as avgCount by Environment span=1d

and got No Results found

0 Karma
Highlighted

Re: How to get an average from this search?

Contributor

Hi @kvanwagoner,

You can provide span value in the timechart command to have it display count over 7 day period.

For example:

"A PUT was made to OpenAAA API - Status: OK" | spath AppID | search AppID=200296 Environment=prod | timechart span=7d count by Environment

Splunk Doc: Timechart Bin Options

View solution in original post

0 Karma
Highlighted

Re: How to get an average from this search?

New Member

Thanks @harshpatel
I tried that and it returned the following

_time prod
2019-05-27 2353
2019-06-03 79

Not quite what I'm looking for. I need the average over the 7 days which should be around 347.
I'm not sure what the 2353 actually represents.

Any ideas?
Thanks

This is what was returned from my original search
27th 44
28th 390
29th 586
30th 520
31st 492
1st 211
2nd 110
3rd 83

0 Karma
Highlighted

Re: How to get an average from this search?

Contributor

Hi @kvanwagoner , Can you try this:

"A PUT was made to OpenAAA API - Status: OK" | spath AppID | search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod) by _time
0 Karma
Highlighted

Re: How to get an average from this search?

New Member

Thanks @harshpatel
That returns 2 records when using "Last 7 days" in search
2019-05-27 334
2019-06-03 146

This is closer to what I need but I'm not sure why it's returning 2 records and the average is slightly off
355 should be the last 7 day average based on the results from my original search
I just need it to give me 1...any ideas?

0 Karma
Highlighted

Re: How to get an average from this search?

Contributor

In what timerange you are running this query? If you just want last 7 days records you run your search for last 7 days only. Your records are of more than 7 days. That's why it is getting an extra row.

Hope this helps.

0 Karma
Highlighted

Re: How to get an average from this search?

New Member

@harshpatel
I used the search criteria you gave me with a timerange of Last 7 Days.

0 Karma
Highlighted

Re: How to get an average from this search?

Contributor

Well if you just want average then you can do something like:

"A PUT was made to OpenAAA API - Status: OK" | spath AppID | search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)
0 Karma