Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats with different bins (full time period AND 5 min intervals)- How to compare average time?

dmoberg
Path Finder
‎09-26-2022 04:03 AM

I have a need to compare the average time for certain events with the 5 min bucket/bins of the same events. The idea is to find 5 min intervals that deviate more than a certain percentage from the average response times and then in some way display those intervals.

I am however struggling to figure out how to output the Average for the entire time period but also calculate the 5 minute intervals.

The following query, returns nothing (can you even do 2 Stats in the same query?):

search | stats avg(Value) as AvgEntirePeriod | bin _time span=5m | stats avg(Value) by _time

Any ideas on how to write this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-26-2022 04:51 AM

Hi @dmoberg,

you can use eventstats to have the average of the full period, something like this:

search 
| eventstats avg(Value) as AvgEntirePeriod
| bin _time span=5m 
| stats 
   avg(Value) AS AvgFiveMinutes 
   values(AvgEntirePeriod) AS AvgEntirePeriod 
   BY _time
| eval perc=round(AvgFiveMinutes/AvgEntirePeriod*100,2)

Ciao.

giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

andrew_nelson
Communicator
‎09-26-2022 04:54 AM

You can do as many stats calls as you like in a query, but what you need is eventstats. Also timechart can be used to replace the bin and stats.

search | timechart span=5m avg(Value) as binAvg | eventstats avg(binAvg) as allAvg

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-26-2022 04:51 AM

Hi @dmoberg,

you can use eventstats to have the average of the full period, something like this:

search 
| eventstats avg(Value) as AvgEntirePeriod
| bin _time span=5m 
| stats 
   avg(Value) AS AvgFiveMinutes 
   values(AvgEntirePeriod) AS AvgEntirePeriod 
   BY _time
| eval perc=round(AvgFiveMinutes/AvgEntirePeriod*100,2)

Ciao.

giuseppe

0 Karma
Reply
Solved! Jump to solution

dmoberg
Path Finder
‎09-27-2022 12:28 AM

Thanks! The EventStats did the trick

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-27-2022 12:40 AM

Hi @dmoberg,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...