Solved: Re: Splunk average for particular count

allladin101 · ‎11-06-2014

I am attempting to find half–hourly average of elapsed time for the GETXML message has exceeded 2,000ms for an half- hourly message count of 30,000 or more. I have the below query, BUT i am not sure how can add a check for this part "half- hourly message count of 30,000 or more" in the below query ?

can someone help

index=whatever* sourcetype=server GetXML timing=* | timechart span=30m avg(timing) by blob_type

somesoni2 · ‎11-06-2014

Try this

index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type

View solution in original post

somesoni2 · ‎11-06-2014

Try this

index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type

somesoni2 · ‎11-06-2014

Missed including the _time field. Check the updated answer

allladin101 · ‎11-06-2014

works now - thanks 🙂

allladin101 · ‎11-06-2014

doesnt seem to work 😞

This part doesnt seems to be working:

where count>30 | timechart span=30m avg(avgtiming) by blob_type

Splunk average for particular count

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms