Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk average for particular count
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
allladin101
Explorer
11-06-2014
06:05 AM
I am attempting to find half–hourly average of elapsed time for the GETXML message has exceeded 2,000ms for an half- hourly message count of 30,000 or more. I have the below query, BUT i am not sure how can add a check for this part "half- hourly message count of 30,000 or more" in the below query ?
can someone help
index=whatever* sourcetype=server GetXML timing=* | timechart span=30m avg(timing) by blob_type
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-06-2014
07:37 AM
Try this
index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-06-2014
07:37 AM
Try this
index=whatever* sourcetype=server GetXML timing=* | bucket span=30m _time | stats avg(timing) as avgtiming count by blob_type, _time | where count>30000 | timechart span=30m avg(avgtiming) by blob_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-06-2014
09:11 AM
Missed including the _time field. Check the updated answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
allladin101
Explorer
11-06-2014
10:14 AM
works now - thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
allladin101
Explorer
11-06-2014
08:43 AM
doesnt seem to work 😞
This part doesnt seems to be working:
where count>30 | timechart span=30m avg(avgtiming) by blob_type
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
