Solved: Splunk AVG Query

rai4shambhavi · ‎08-06-2021

I am consuming some data using an API, I want to calculate avg time it took for all my customer, after each ingestion (data consumed for a particular customer), I print a time matrix for that customer.

timechart span=24h avg(total_time)

Now to calculate average I cannot simply extract the time field and do avg(total_time), because if customerA completes ingestion in 1 hour, and customerB takes 24 hours, customer A will be logged 24 times and B will be logged once, giving me inaccurate results and bringing down the average.

How do I create a filter let's say time duration is 7 days, so I get only those log lines for a particular customer which has the maximum total_time over a period of 7 days. i.e one log line per customer that has max total_time over a period of 7 days for that particular customer.

ITWhisperer · ‎08-06-2021

Try it this way around

| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average

View solution in original post

ITWhisperer · ‎08-06-2021

timechart span=24h avg(total_time) by customer

How are you getting 24 events for customerA if they only ingested once?

rai4shambhavi · ‎08-06-2021

The ingestion time for customer A is let's suppose close to 1 hour, so in 24 hours there will be 24 events logged, let's say 50mins, 61mins, 54 mins ... and so on, so there will be 24 events for customer A, customer B takes roughly 24 hours and got ingested once, so now i want the avg (max(customerA), max(customer B)) over a certain period of time let's say 7 days

rai4shambhavi · ‎08-06-2021

The process is cyclic and continuous, it keeps happening again and again

ITWhisperer · ‎08-06-2021

| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by customer

rai4shambhavi · ‎08-06-2021

The timechart part works. But adding stats line after that doesn't give any visualization and stats

ITWhisperer · ‎08-06-2021

I am not exactly sure what you are trying to visualise. Is it like a rolling average of the daily maximums, or a cumulative average i.e. average from the start to each day, or something like that?

rai4shambhavi · ‎08-06-2021

if I have 10 customers A, B, C and so on, each customer is doing it's own ingestion at it's own speed, after each ingestion, each customer will produce a log line. This process is cyclic and continuous, so let's suppose A completed ingestion 10 times in 24 hours, B completed ingestion 5 times in 24 hours and so on... what I want is

avg(max time taken by A , max time taken by B, maximum time taken by C,...... and so on)

ITWhisperer · ‎08-06-2021

OK so the stats needs to get the average for all customers each day

| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by _time

rai4shambhavi · ‎08-06-2021

I am seeing blank responses

Screenshot 2021-08-06 at 6.37.10 PM.png

ITWhisperer · ‎08-06-2021

Try it this way around

| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average

Splunk AVG Query

stats

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...