Splunk Search

Splunk average for particular count

allladin101
Explorer

I am attempting to find half–hourly average of elapsed time for the GETXML message has exceeded 2,000ms for an half- hourly message count of 30,000 or more. I have the below query, BUT i am not sure how can add a check for this part "half- hourly message count of 30,000 or more" in the below query ?

can someone help

index=whatever* sourcetype=server GetXML timing=* | timechart span=30m avg(timing) by blob_type

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type

View solution in original post

0 Karma

somesoni2
Revered Legend

Try this

index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type
0 Karma

somesoni2
Revered Legend

Missed including the _time field. Check the updated answer

0 Karma

allladin101
Explorer

works now - thanks 🙂

0 Karma

allladin101
Explorer

doesnt seem to work 😞

This part doesnt seems to be working:

where count>30 | timechart span=30m avg(avgtiming) by blob_type

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...