Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the average of two fields from two different indexes by time?

sam_jacob
Path Finder
‎08-03-2015 01:37 PM

I'm trying to get the average memory and CPU usage by the hour. Unfortunately, that information is stored on two different indexes, so I appended the CPU results with the memory results, and used bucket to get the result hourly. But I'm now getting the average of each hour. 

index=[redacted] host=[redacted] sourcetype=[redacted] earliest=-24h@h latest=@h 
| multikv fields memUsedPct 
| append [search index=[redacted] host=[redacted] sourcetype=cpu earliest=-24h@h latest=@h | multikv fields pctIdle | search CPU=all | eval cpuUsedPct=100-pctIdle] 
| sort _time 
| bucket _time span=60m 
| eval Time=strftime(_time, "%m/%d/%y %H:%M")
| stats avg(cpuUsedPct) as "CPU Percent" by Time, avg(memUsedPct) as Percent by Time

When I execute the search, I get the error: Error in 'stats' command: Repeated group-by field 'Time'. and I'm assuming this is because I get the average of two different fields by Time

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_jacob
Path Finder
‎08-03-2015 07:34 PM

I was able to figure it out what I was doing wrong. This is what the correct query should look like:

index=[redacted] host=[redacted] sourcetype=[redacted] earliest=-24h@h latest=@h 
| multikv fields memUsedPct 
| append [search index=[redacted] host=[redacted] sourcetype=cpu earliest=-24h@h latest=@h | multikv fields pctIdle | search CPU=all | eval cpuUsedPct=100-pctIdle] 
| sort _time 
| bucket _time span=60m 
| eval Time=strftime(_time, "%m/%d/%y %H:%M")
| stats avg(cpuUsedPct) as "CPU Percent", avg(memUsedPct) as Percent by Time

View solution in original post

Reply
Solved! Jump to solution
Solution

sam_jacob
Path Finder
‎08-03-2015 07:34 PM

I was able to figure it out what I was doing wrong. This is what the correct query should look like:

index=[redacted] host=[redacted] sourcetype=[redacted] earliest=-24h@h latest=@h 
| multikv fields memUsedPct 
| append [search index=[redacted] host=[redacted] sourcetype=cpu earliest=-24h@h latest=@h | multikv fields pctIdle | search CPU=all | eval cpuUsedPct=100-pctIdle] 
| sort _time 
| bucket _time span=60m 
| eval Time=strftime(_time, "%m/%d/%y %H:%M")
| stats avg(cpuUsedPct) as "CPU Percent", avg(memUsedPct) as Percent by Time
Reply
Solved! Jump to solution

ppablo
Retired
‎08-03-2015 02:15 PM

Hi @sam_jacob

Could you actually paste your answer/final working search as a formal answer in the "Enter your answer..." box below? That way I can accept that for you as the correct solution to resolve this post instead of it floating around as unanswered. Thanks!

Reply
Solved! Jump to solution

sam_jacob
Path Finder
‎08-03-2015 07:35 PM

Thanks, yea I just submitted the answer. Once it gets approved I'll select it.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎08-04-2015 09:47 AM

great, thanks @sam_jacob cheers!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...