Splunk Search

Splunk AVG Query

rai4shambhavi
Explorer

I am consuming some data using an API, I want to calculate avg time it took for all my customer, after each ingestion (data consumed for a particular customer), I print a time matrix for that customer.

timechart span=24h avg(total_time)

Now to calculate average I cannot simply extract the time field and do avg(total_time), because if customerA completes ingestion in 1 hour, and customerB takes 24 hours, customer A will be logged 24 times and B will be logged once, giving me inaccurate results and bringing down the average.

How do I create a filter let's say time duration is 7 days, so I get only those log lines for a particular customer which has the maximum total_time over a period of 7 days. i.e one log line per customer that has max total_time over a period of 7 days for that particular customer.

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try it this way around

| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
timechart span=24h avg(total_time) by customer

How are you getting 24 events for customerA if they only ingested once?

0 Karma

rai4shambhavi
Explorer

The ingestion time for customer A is let's suppose close to 1 hour, so in 24 hours there will be 24 events logged, let's say 50mins, 61mins, 54 mins ... and so on, so there will be 24 events for customer A, customer B takes roughly 24 hours and got ingested once, so now i want the avg (max(customerA), max(customer B)) over a certain period of time let's say 7 days

 

0 Karma

rai4shambhavi
Explorer

The process is cyclic and continuous, it keeps happening again and again 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by customer
0 Karma

rai4shambhavi
Explorer

The timechart part works. But adding stats line after that doesn't give any visualization and stats

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not exactly sure what you are trying to visualise. Is it like a rolling average of the daily maximums, or a cumulative average i.e. average from the start to each day, or something like that?

0 Karma

rai4shambhavi
Explorer

if I have 10 customers A, B, C and so on, each customer is doing it's own ingestion at it's own speed,  after each ingestion, each customer will produce a log line. This process is cyclic and continuous, so let's suppose A completed ingestion 10 times in 24 hours, B completed ingestion 5 times in 24 hours and so on... what I want is

avg(max time taken by A , max time taken by B, maximum time taken by C,...... and so on) 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so the stats needs to get the average for all customers each day

| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by _time
0 Karma

rai4shambhavi
Explorer

I am seeing blank responses

Screenshot 2021-08-06 at 6.37.10 PM.pngScreenshot 2021-08-06 at 6.37.18 PM.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try it this way around

| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...