Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk AVG Query

rai4shambhavi
Explorer
‎08-06-2021 01:30 AM

I am consuming some data using an API, I want to calculate avg time it took for all my customer, after each ingestion (data consumed for a particular customer), I print a time matrix for that customer.

timechart span=24h avg(total_time)

Now to calculate average I cannot simply extract the time field and do avg(total_time), because if customerA completes ingestion in 1 hour, and customerB takes 24 hours, customer A will be logged 24 times and B will be logged once, giving me inaccurate results and bringing down the average.

How do I create a filter let's say time duration is 7 days, so I get only those log lines for a particular customer which has the maximum total_time over a period of 7 days. i.e one log line per customer that has max total_time over a period of 7 days for that particular customer.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 07:13 AM

Try it this way around

| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 01:52 AM 
timechart span=24h avg(total_time) by customer

How are you getting 24 events for customerA if they only ingested once?

0 Karma
Reply
Solved! Jump to solution

rai4shambhavi
Explorer
‎08-06-2021 02:04 AM

The ingestion time for customer A is let's suppose close to 1 hour, so in 24 hours there will be 24 events logged, let's say 50mins, 61mins, 54 mins ... and so on, so there will be 24 events for customer A, customer B takes roughly 24 hours and got ingested once, so now i want the avg (max(customerA), max(customer B)) over a certain period of time let's say 7 days

 

0 Karma
Reply
Solved! Jump to solution

rai4shambhavi
Explorer
‎08-06-2021 02:05 AM

The process is cyclic and continuous, it keeps happening again and again 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 02:26 AM 
| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by customer
0 Karma
Reply
Solved! Jump to solution

rai4shambhavi
Explorer
‎08-06-2021 02:45 AM

The timechart part works. But adding stats line after that doesn't give any visualization and stats

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 04:51 AM

I am not exactly sure what you are trying to visualise. Is it like a rolling average of the daily maximums, or a cumulative average i.e. average from the start to each day, or something like that?

0 Karma
Reply
Solved! Jump to solution

rai4shambhavi
Explorer
‎08-06-2021 05:05 AM

if I have 10 customers A, B, C and so on, each customer is doing it's own ingestion at it's own speed,  after each ingestion, each customer will produce a log line. This process is cyclic and continuous, so let's suppose A completed ingestion 10 times in 24 hours, B completed ingestion 5 times in 24 hours and so on... what I want is

avg(max time taken by A , max time taken by B, maximum time taken by C,...... and so on) 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 05:08 AM

OK so the stats needs to get the average for all customers each day

| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by _time
0 Karma
Reply
Solved! Jump to solution

rai4shambhavi
Explorer
‎08-06-2021 06:09 AM

I am seeing blank responses

Screenshot 2021-08-06 at 6.37.10 PM.pngScreenshot 2021-08-06 at 6.37.18 PM.png

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 07:13 AM

Try it this way around

| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average
Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Top