Splunk Search

## Splunk AVG Query

Explorer

I am consuming some data using an API, I want to calculate avg time it took for all my customer, after each ingestion (data consumed for a particular customer), I print a time matrix for that customer.

timechart span=24h avg(total_time)

Now to calculate average I cannot simply extract the time field and do avg(total_time), because if customerA completes ingestion in 1 hour, and customerB takes 24 hours, customer A will be logged 24 times and B will be logged once, giving me inaccurate results and bringing down the average.

How do I create a filter let's say time duration is 7 days, so I get only those log lines for a particular customer which has the maximum total_time over a period of 7 days. i.e one log line per customer that has max total_time over a period of 7 days for that particular customer.

Labels (1)
• ### stats

Tags (1)
1 Solution
SplunkTrust

Try it this way around

``````| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average``````
SplunkTrust
``timechart span=24h avg(total_time) by customer``

How are you getting 24 events for customerA if they only ingested once?

Explorer

The ingestion time for customer A is let's suppose close to 1 hour, so in 24 hours there will be 24 events logged, let's say 50mins, 61mins, 54 mins ... and so on, so there will be 24 events for customer A, customer B takes roughly 24 hours and got ingested once, so now i want the avg (max(customerA), max(customer B)) over a certain period of time let's say 7 days

Explorer

The process is cyclic and continuous, it keeps happening again and again

SplunkTrust
``````| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by customer``````
Explorer

The timechart part works. But adding stats line after that doesn't give any visualization and stats

SplunkTrust

I am not exactly sure what you are trying to visualise. Is it like a rolling average of the daily maximums, or a cumulative average i.e. average from the start to each day, or something like that?

Explorer

if I have 10 customers A, B, C and so on, each customer is doing it's own ingestion at it's own speed,  after each ingestion, each customer will produce a log line. This process is cyclic and continuous, so let's suppose A completed ingestion 10 times in 24 hours, B completed ingestion 5 times in 24 hours and so on... what I want is

avg(max time taken by A , max time taken by B, maximum time taken by C,...... and so on)

SplunkTrust

OK so the stats needs to get the average for all customers each day

``````| timechart span=24h max(total_time) as max_time by customer
| stats avg(max_time) as average by _time``````
Explorer

I am seeing blank responses

SplunkTrust

Try it this way around

``````| bin _time span=24h
| stats max(total_time) as max_time by _time customer
| timechart span=24h avg(max_time) as average``````
Did you miss .conf21 Virtual?

### Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Get Updates on the Splunk Community!