Solved: Re: Splunk average for particular count

allladin101 · ‎11-06-2014

I am attempting to find half–hourly average of elapsed time for the GETXML message has exceeded 2,000ms for an half- hourly message count of 30,000 or more. I have the below query, BUT i am not sure how can add a check for this part "half- hourly message count of 30,000 or more" in the below query ?

can someone help

index=whatever* sourcetype=server GetXML timing=* | timechart span=30m avg(timing) by blob_type

somesoni2 · ‎11-06-2014

Try this

index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type

View solution in original post

somesoni2 · ‎11-06-2014

Try this

index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type

somesoni2 · ‎11-06-2014

Missed including the _time field. Check the updated answer

allladin101 · ‎11-06-2014

works now - thanks 🙂

allladin101 · ‎11-06-2014

doesnt seem to work 😞

This part doesnt seems to be working:

where count>30 | timechart span=30m avg(avgtiming) by blob_type

Splunk average for particular count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation