Splunk Search
Highlighted

time picker average if selected more than one day

Path Finder

Hi All.

I need help regarding one my query, shown below

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart sum(PERCENT90) over FUNCTION by source

Now if i run this query over the 7 days period, ideally i should get day 1 SUM to day 7th SUM averaged by 7

for example
DAY 1 Day 2 Day 3 Day 5 Day 5 Day 6 Day 7
1 2 3 4 5 6 7

is should 28/7 which is 4 similarly if we add day 8 data as 8

result should be 36/8 which is 4.5

but what I am getting is for 7 days 28 and fro 8 day as 36 😞

Can anyone help me understand what i am missing..

Yes I could use avg(PERCENT90) but each Function field holds 2 to 3 values of ACTION their own which needs to be grouped under each function.

The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..

FUNCTION           |  HK        |              SG
 AGE                      |107.773 |           120.644
 CLT                       |49.206   |           37.6
 COM                     | 12         |           61.778
 RIO                       |56.803   |
 CONSULT            |               |             10.115

Now some of the function like COM has sub values which needs to be sum up..

so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

if I am using the belowquery

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
0 Karma
Highlighted

Re: time picker average if selected more than one day

SplunkTrust
SplunkTrust

Do you get the right results when you use avg(PERCENT90) instead of sum(PERCENT90)?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: time picker average if selected more than one day

Path Finder

Yes I could use avg(PERCENT90) but
each Function field holds 2 to 3
values of ACTION their own which needs
to be grouped under each function.

The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..

FUNCTION           |  HK        |              SG
 AGE                      |107.773 |           120.644
 CLT                       |49.206   |           37.6
 COM                     | 12         |           61.778
 RIO                       |56.803   |
 CONSULT            |               |             10.115

Now some of the function like COM has sub values which needs to be sum up..

so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

if I am using the belowquery

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
0 Karma
Highlighted

Re: time picker average if selected more than one day

Contributor

From what i can infer from your query , you should see results in this fashion :

FUNCTION DAY1 DAY2 DAY3 DAY4 DAY5 DAY6 DAY7
Fun1 3 4 5 6 7 8 9

If you are running the search over 7 days, then how is it calculating the average . From what i see it will calculate the sum for all the values of PERCENT90 field and show you in the chart fashion. Also does source has the values DAY1 DAY2 and so on ?

Can you show some sample data set ?

0 Karma
Highlighted

Re: time picker average if selected more than one day

Path Finder

Yes, it looks like below with above query

FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115

but if i am using time picker for 7 days i will be getting sum of AGE function 7 times

FUNCTION | HK | SG
AGE |754.411 | 844.508

I want to get the average instead of 107.773 x 7 & 120.644 x7 for all functions.

so if i use

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source

I get the desired result for function which have only one sub-value but if there's a function with more sub value it even averages the values under it for example :

function like COM has sub values which needs to be sum up..

so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

So requirement is sub-values under functions should be summed up only and not average and once they are summed up under Function for a particular day. Once achieved sum of sub-values under a function for the day i want to do a average of function's value by cities.

Function HK SG

0 Karma