Solved: display running average with autoregress?

dang · ‎03-10-2011

I am attempting to calculate a running average with autoregress for a count of errors across a group of servers. I'm using the following query to get the data in 5-minute slices

index="monitoring" ServerErrors  | timechart span=5m sum(ServerErrors)

How would I get a running average of the last four hours of the values generated here? Do I want to use something like

| autogregress p1-48

My experience here is very limited, so I'm certain there is much I don't know about what's going on here.

David · ‎03-10-2011

I'd go this route:

index="monitoring" ServerErrors 
       | timechart span=5m sum(ServerErrors) as Error5MinSum 
       | streamstats avg(Error5MinSum) window=48

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

View solution in original post

David · ‎03-10-2011

I'd go this route:

index="monitoring" ServerErrors 
       | timechart span=5m sum(ServerErrors) as Error5MinSum 
       | streamstats avg(Error5MinSum) window=48

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

dang · ‎03-10-2011

Thanks. This provided the kind of information I wanted.

display running average with autoregress?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk