Splunk Search

avg(count) not working in timechart?

tfitzgerald15
Explorer

I'm trying to chart the average count over a 24 hour span on a timechart, and it's just not working. The RegEx I'm using is pretty simple, so I'll admit I feel a little less than proud I can't get this to work.

... | timechart span=24h avg(count)

The goal is to create a chart where I get a line that y=avg(count), where the avg(count) is the average of all values over the past 24 hours. However, when I do this, it's giving me the time properly, but under the "avg(count)" field in the table, the fields are blank/null, and the chart creates without a line, but with avg(count) in the legend.

I'm planning on using this as a piece of a larger project, the rest of which I've successfully set up. This is the last peice of the puzzle.

Thanks!

Tags (2)
0 Karma
1 Solution

twinspop
Influencer

Can you confirm you have a 'count' field in your results? Use the field picker on the left to see if it appears in your results. And if it appears as a number. My guess would be one of these 2 conditions are not being met. Can you post a log sample and your field extraction, if applicable?

Using logs in my system that have 'count=X' in them, I can run your timechart command with expected results.

sourcetype=dbjobs EVENTQ.QUEUE_DEPTH | timechart span=24h avg(count)

The logs look like this:

Oct 11 11:14:51 db=xxxxx Source=EVENTQ.QUEUE_DEPTH Table=Table1 count=23

View solution in original post

0 Karma

tfitzgerald15
Explorer

Count is literally just the number of hits. It works fine when I do "| timechart count", and provides me with a chart of how many logs match my search criteria over the designated time frame.

0 Karma

twinspop
Influencer

Can you confirm you have a 'count' field in your results? Use the field picker on the left to see if it appears in your results. And if it appears as a number. My guess would be one of these 2 conditions are not being met. Can you post a log sample and your field extraction, if applicable?

Using logs in my system that have 'count=X' in them, I can run your timechart command with expected results.

sourcetype=dbjobs EVENTQ.QUEUE_DEPTH | timechart span=24h avg(count)

The logs look like this:

Oct 11 11:14:51 db=xxxxx Source=EVENTQ.QUEUE_DEPTH Table=Table1 count=23
0 Karma

twinspop
Influencer

timechart span=24h count

0 Karma

tfitzgerald15
Explorer

Count is literally just the number of hits. It works fine when I do "| timechart count", and provides me with a chart of how many logs match my search criteria over the designated time frame.

However, it doesn't exist in my logs themselves, but it's worked for everything else. Is there another command/term for "Number of Logs"? That's really all I'm looking to get here.

0 Karma

zeroactive
Path Finder

avg(count) will give you an average of the number of raw events, but you have to do some additional work with "bucket" and "streamstats". See http://answers.splunk.com/answers/79026/average-count-by-day for more info on that.

If you want the average of a field, then you'll need to do "avg(fieldname)" to get the average of that value. This sounds like what you want to do, but it's a bit hard to tell exactly what given the way you formatted the query. And few example lines of data and the field name you want to average will go along way to help us help you.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...