Solved: Summary-Index: Is it possible to summary index the...

hofer · ‎04-17-2015

So i got this report running all 15min and saving into my summary index:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms

Now there are 2 durations in an original event, one is the Message_DURATION_whole and one the Message_DURATION_part1.
I'd like to have both the averages (see search above) of them in my summary index event. These two fields are field extractions.
Is this possible or do I have to just add another report, which makes almost the same, but with the other duration?

Thank you very much

ngatchasandra · ‎04-17-2015

Hi hofer,

This is possible!

You will write your request like this:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms, avg(Message_DURATION_part1) AS ms2

View solution in original post

ngatchasandra · ‎04-17-2015

Hi hofer,

This is possible!

You will write your request like this:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms, avg(Message_DURATION_part1) AS ms2

juvetm · ‎04-17-2015

Hi
can you try to use the eval commad i think this may help o solve you problem

hofer · ‎04-20-2015

Thank you, ngatchasandra.
@juvetm, yes this is also possible, but unfortunately "eval" doesn't go with "avg". But for example a straight line, this works great.

Summary-Index: Is it possible to summary index the averages of two calculated fields in the same search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!