Splunk Search

Time chart for average of duration by Channel span 1h

saikumarkomati
New Member

I have the following data and i am trying to create a time chart of the data for average duration by channel

"_time",duration,CH
"2020-02-13 11:30:32.367",275,BOSRetail
"2020-02-13 12:47:59.334",202,LTSBRetail
"2020-02-13 11:02:54.025",216,BOSRetail
"2020-02-13 11:26:11.459",264,BOSRetail
"2020-02-13 11:53:03.636",179,BOSRetail
"2020-02-13 11:20:53.384",269,BOSRetail
"2020-02-13 10:58:52.428",264,BOSRetail
"2020-02-13 09:41:22.445",216,LTSBRetail
"2020-02-13 09:56:09.820",233,LTSBRetail
"2020-02-13 10:58:13.035",240,LTSBRetail
"2020-02-13 11:47:48.664",325,BOSRetail
"2020-02-13 12:21:27.147",274,LTSBRetail
"2020-02-13 11:18:59.352",235,BOSRetail
"2020-02-13 11:23:25.297",257,BOSRetail
"2020-02-13 11:03:32.007",274,HalifaxRetail
"2020-02-13 11:02:15.745",181,LTSBRetail
"2020-02-13 11:47:03.084",264,BOSRetail
"2020-02-13 15:28:01.956",260,HalifaxRetail
"2020-02-13 11:54:23.306",276,BOSRetail
"2020-02-13 11:55:58.454",215,LTSBRetail
"2020-02-13 11:00:05.081",240,HalifaxRetail
"2020-02-13 11:56:38.345",236,BOSRetail
"2020-02-13 11:49:52.787",226,BOSRetail
"2020-02-13 15:24:13.651",247,HalifaxRetail
"2020-02-13 09:31:26.887",194,LTSBRetail
"2020-02-13 11:51:59.928",262,BOSRetail
"2020-02-13 11:57:18.917",227,HalifaxRetail
"2020-02-13 09:42:04.574",171,LTSBRetail
"2020-02-13 15:25:51.943",334,HalifaxRetail

for unknown reason the average duration values are not reflecting on the timechart using the below query
| timechart span=1h avg(duration) by CH

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="time,duration,CH
\"2020-02-13 11:30:32.367\",275,BOSRetail
\"2020-02-13 12:47:59.334\",202,LTSBRetail
\"2020-02-13 11:02:54.025\",216,BOSRetail
\"2020-02-13 11:26:11.459\",264,BOSRetail
\"2020-02-13 11:53:03.636\",179,BOSRetail
\"2020-02-13 11:20:53.384\",269,BOSRetail
\"2020-02-13 10:58:52.428\",264,BOSRetail
\"2020-02-13 09:41:22.445\",216,LTSBRetail
\"2020-02-13 09:56:09.820\",233,LTSBRetail
\"2020-02-13 10:58:13.035\",240,LTSBRetail
\"2020-02-13 11:47:48.664\",325,BOSRetail
\"2020-02-13 12:21:27.147\",274,LTSBRetail
\"2020-02-13 11:18:59.352\",235,BOSRetail
\"2020-02-13 11:23:25.297\",257,BOSRetail
\"2020-02-13 11:03:32.007\",274,HalifaxRetail
\"2020-02-13 11:02:15.745\",181,LTSBRetail
\"2020-02-13 11:47:03.084\",264,BOSRetail
\"2020-02-13 15:28:01.956\",260,HalifaxRetail
\"2020-02-13 11:54:23.306\",276,BOSRetail
\"2020-02-13 11:55:58.454\",215,LTSBRetail
\"2020-02-13 11:00:05.081\",240,HalifaxRetail
\"2020-02-13 11:56:38.345\",236,BOSRetail
\"2020-02-13 11:49:52.787\",226,BOSRetail
\"2020-02-13 15:24:13.651\",247,HalifaxRetail
\"2020-02-13 09:31:26.887\",194,LTSBRetail
\"2020-02-13 11:51:59.928\",262,BOSRetail
\"2020-02-13 11:57:18.917\",227,HalifaxRetail
\"2020-02-13 09:42:04.574\",171,LTSBRetail
\"2020-02-13 15:25:51.943\",334,HalifaxRetail"
| multikv forceheader=1
| eval _time=strptime(time,"\"%F %T.%3Q\"")
| table _time,duration,CH
`comment("this is the sample you provide")`
| timechart cont=f span=1h avg(duration) as average by CH

As you like, add | eval average = round(average,3)

p.s. Do you accept and close last question?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What result do you get now?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

saikumarkomati
New Member

i am getting a chart with 0/null values, statistics view is as below
_time BOSRetail HalifaxRetail LTSBRetail
1 2020-02-13 09:00:00

2 2020-02-13 09:30:00

3 2020-02-13 10:00:00

4 2020-02-13 10:30:00

5 2020-02-13 11:00:00

6 2020-02-13 11:30:00

7 2020-02-13 12:00:00

8 2020-02-13 12:30:00

9 2020-02-13 13:00:00

10 2020-02-13 13:30:00

11 2020-02-13 14:00:00

12 2020-02-13 14:30:00

13 2020-02-13 15:00:00

14 2020-02-13 15:30:00

15 2020-02-13 16:00:00

16 2020-02-13 16:30:00

17 2020-02-13 17:00:00

18 2020-02-13 17:30:00

19 2020-02-13 18:00:00

20 2020-02-13 18:30:00

0 Karma