Problems with average duration

mattheuslima · ‎06-02-2020

Hi,folks.

I trying timechart the average duration but the I'm not get the average values for all spa's of times.

The query is like this:
"
(index=a) OR (index=b)

|transaction Reg_ID|search eventcount=2 |bin _time span=1m |timechart avg(duration) as media (DATE RANGE 15 MIN)

But it only show the result for 5 min,for example .

Even when I make the average with the stats sum and c.

I can clarify it if more with you need.

Tks for help!

gcusello · ‎06-02-2020

Hi @mattheuslima,
let me understand:
you want to timechart the average duration in a timeframe of 15 minutes with span=1m,
in the transaction, you want to thake the earliest time,
is it correct?

If this is your need try something like this (that's faster!):

(index=a) OR (index=b) earliest=-15m@m latest=now
| bin span=1m _time
| stats earliest(_time) AS _time avg(duration) AS duration count BY Reg_ID
| timechart avg(duration) AS media

Ciao.
Giuseppe

Problems with average duration

timechart

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Problems with average duration

timechart

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions