Splunk Search
Highlighted

Is there an easy way to do an "addaverages" instead of the addtotals function?

Builder

Is there an easy way to do an addaverages instead of addtotals?
I have the following and can't seem to use any provided solutions to get it to work.

   base search
    | bucket _time span=1m
    | stats count(eval(success="true")) as Success, count(eval(success="false")) as Failure, count as TotalAttempts by _time, proxy  
    | eval Error%=round(if(info="Success", Success, Failure)/TotalAttempts*100, 2)
    | eval Time = _time 
    | eval Time=strftime(Time, "%M/%H")
    | xyseries proxy, Time, Error%
    | fillnull value=0.00
    | addtotals fieldname=Totals

Instead of addtotals, I want the avg in the last column from all the rows column data over time.

0 Karma
Highlighted

Re: Is there an easy way to do an "addaverages" instead of the addtotals function?

SplunkTrust
SplunkTrust

Try something like this

    base search
     | bucket _time span=1m
     | stats count(eval(success="true")) as Success,count(eval(success="false")) as Failure,
count as TotalAttempts by _time, proxy  
     | eval Error%=round(if(info="Success", Success, Failure)/TotalAttempts*100, 2)
     | eval Time = _time 
     | eval Time=strftime(Time, "%M/%H") | fillnull value=0.00
     | appendpipe [| stats avg("Error%") as "Error%" by proxy | eval Time="Total"]
     | xyseries proxy, Time, Error% | table proxy * Total

View solution in original post

Highlighted

Re: Is there an easy way to do an "addaverages" instead of the addtotals function?

Builder

Awesome, this worked perfectly. Ill have to remember that appendpipe in the future.

0 Karma