- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help on basic questions about stats avg on a speci...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
In the stats avg() below, I want to do an avg on the last month
So do I have to specify it with earliest=-1mon latest=now or do I have to use bucket _time span=1mon?
| stats avg(sent_data) as sent_data avg(received_data) as received_data, values(SITE) as SITE by USERNAME
| eval sent_data=round(sent_data, 2)
| eval received_data=round(received_data, 2)
| sort +sent_data +received_data
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to get the average for the previous month or the last ~30 days? For example, are you looking for June or June 16 - July 16? The easiest would be to pick your actual time range from the Time Picker controls.
Taking your examples, you most likely want to do something like you specified: earliest=-1mon latest=now. But make sure this is doing what you want. You are telling Splunk to return the data since June 16th starting at the current time. If instead you want the previous month, you can do this instead: earliest=-1mon@mon latest=@mon. This will search for data between 2019-06-01 00:00:00 and 2019-06-30 23:59:59.
bucket _time span=1mon is not going to do much for you unless your also include the _time in your stats command:
| stats avg(sent_data) as sent_data avg(received_data) as received_data, values(SITE) as SITE by _time, USERNAME
This will round each time stamp down to the first of each month. If you are trying to get the last 30 days, this won't quite do what you want. It will also depend on the time range specified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to get the average for the previous month or the last ~30 days? For example, are you looking for June or June 16 - July 16? The easiest would be to pick your actual time range from the Time Picker controls.
Taking your examples, you most likely want to do something like you specified: earliest=-1mon latest=now. But make sure this is doing what you want. You are telling Splunk to return the data since June 16th starting at the current time. If instead you want the previous month, you can do this instead: earliest=-1mon@mon latest=@mon. This will search for data between 2019-06-01 00:00:00 and 2019-06-30 23:59:59.
bucket _time span=1mon is not going to do much for you unless your also include the _time in your stats command:
| stats avg(sent_data) as sent_data avg(received_data) as received_data, values(SITE) as SITE by _time, USERNAME
This will round each time stamp down to the first of each month. If you are trying to get the last 30 days, this won't quite do what you want. It will also depend on the time range specified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
i am looking for June 16 - July 16 so i am going to use earliest=-1mon latest=now
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To get stats for a month you must have a month of data so earliest=-1mon is a minimum. For just one month, bucket is not needed.
If this reply helps you, Karma would be appreciated.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
