Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get stats average with a where clause in the same search?

justinrowan
Explorer
‎04-13-2016 02:48 PM

If I run this search:

index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" | stats avg(ELAPSED_TIME)

I get the expected average.
If I run the following search, I get the expected results of events where the ELAPSED_TIME field is less than 1.

index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1

But if I combine the two searches (looking for an average ELAPSED_TIME for events in which ELAPSED_TIME is less than 1):

index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | stats avg(ELAPSED_TIME)

I get 0 as a result.

What am I missing to achieve the desired results?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-14-2016 07:29 AM

Give this a try

 index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | eval ELAPSED_TIME=tonumber(ELAPSED_TIME)| stats avg(ELAPSED_TIME)

OR 

 index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | eval ELAPSED_TIME=ELAPSED_TIME/1.0| stats avg(ELAPSED_TIME)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-14-2016 07:29 AM

Give this a try

 index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | eval ELAPSED_TIME=tonumber(ELAPSED_TIME)| stats avg(ELAPSED_TIME)

OR 

 index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | eval ELAPSED_TIME=ELAPSED_TIME/1.0| stats avg(ELAPSED_TIME)
Reply
Solved! Jump to solution

justinrowan
Explorer
‎04-14-2016 07:46 AM

This appears to work:

index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | eval ELAPSED_TIME=tonumber(ELAPSED_TIME)| stats avg(ELAPSED_TIME)

I'll have to verify the accuracy of it, but it appears to correct. Can you explain why Splunk interpreted this field as non-numeric by default? It should be noted that these events are db inputs from DB Connect2, maybe that has something to do with it?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-14-2016 08:44 AM

I've seen weird (non-obvious) results with data from DB Connect, specially for numeric data. I just use to_number wherever required though.

0 Karma
Reply
Solved! Jump to solution

justinrowan
Explorer
‎04-14-2016 06:53 AM

I wish it was that straigthforward, but no, all of the values are between 0 and 1 with the exception of a few (which is why I'm trying to filter to just the ones that are less than 1).

If I do stats count(ELAPSED_TIME) I get the correct number of events. But if I do any other function of stats (avg, sum, min, max), I get a result of 0 every time.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-13-2016 09:16 PM

Curious if ELAPSED_TIME is always equal to 0 when it is less than 1?

I'm not seeing the same results in my testing. Note my results changed a bit due to the event count changing in between searches:
alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...