Splunk Search

How to i get the average maximum number of a field

New Member

Hi All,

I just involved in SPLUNK project development and i have lilmited knowledge in how to get splunk search work in the panel.
I have the following field here to perform the calculation of average of the network utilization
1. Bytes = the total number of bytes received/sent by a flow (client <=> server)
2. Duration = the number of time the flow takes to finish the conversation

My question here will be how do i get the below:
1. The average utilization based on the above count
2. The max average utilization of the above.

Highly appreciate your feedback to it. Thank you.

My current search is not working well and return no value at all. The Client Addr and Server Addr is the filter of the Ip address that allow the user to enter specific IP address for the serach.

The first average utilization search that im using as below:
sourcetype=sv_flows host="$source$" "Client Addr"=$src$ "Server Addr"=$dst$

| eval mbps=(((Bytes * 😎 / Duration) / 1000000)

| timechart avg(mbps) as "Avg Mbps"

The second Maximum Average utilization Search as below:
sourcetype=sv_flows host="$source$" "Client Addr"=$src$ "Server Addr"=$dst$

| eval rDuration = round(Duration,0)

| eval maxbps=round((((Bytes * 😎 / rDuration) / 1000000),0)

| stats max(maxbps) as "Avg Max Mbps"

0 Karma


See if this gives you what you're looking for

sourcetype=sv_flows host="$source$" "Client Addr"=$src$ "Server Addr"=$dst$ | eval mbps=Bytes/(1024*1024*1024) | timechart  span=1h avg(mbps) as "Avg Mbps" | eventstats max("Avg Mbps") as "Max Avg" | table _time "Avg Mbps" "Max Avg"
0 Karma


Second checks: Are you trying to do this directly in a dashboard panel? If you replace all the variables you are using with hard-coded values and just run it as a search, does it work there?

In general if you aren't doing it this way now, I'd suggest developing your searches in Search, adding them to the dashboard and then making the tiny changes you need to get it "just right" for the panel.

0 Karma


You say you have the fields, but can you go through it one by one and confirm? If you start from the beginning, does

sourcetype=sv_flows host="$source$" "Client Addr"=$src$ "Server Addr"=$dst$ 

work and return the events you expect and the fields you need? Then if you add just the one eval:

| eval mbps=(((Bytes * 😎 / Duration) / 1000000) 

does the mbps show up properly?

If you could paste a couple of the events (please be sure to use the "101010" code button in the editor!) it might be easier for folks to get the right answer faster.

0 Karma


I assume you're populating your tokens $source$ , $src$ and $dst$ from a drop down / form input? If not, that's your first problem.

Also, you shouldnt have spaces in your field names normally, that looks a little out of place to me.

Also, no clue why you divide by 1000000.

All that aside, if you have those tokens, your search should have returned results. So I stick with my original hunch... you're not populating these tokens. Can you share the entire dashboard code? You'll have to use the codeblocks / codesample / "101010" button to paste in the xml code. Can you also share some sample data?

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...