Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

troublesome charting

tuxford
Path Finder
‎08-02-2012 03:41 AM

Hello

I have a chart that works for a time range of 60 minutes and looks like this:

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | chart avg(avg_sec) by date_minute

This gives me an average for each minute of that hour, I would like to do the same for longer time periods but are unable to find out how. If I extend the time range it sums the same minutes for each hour and makes an average of that instead of treating every minute of each hour as a separate entity. Anyone know a fix?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎08-02-2012 03:47 AM

You should use the timechart command

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0  | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎08-02-2012 03:47 AM

You should use the timechart command

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0  | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)
0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎08-02-2012 06:40 AM

The x axis can plot max 1000 points, and there are 1440 mins in a day. So it might be too wide. However, try to use "stats" to be sure you're getting the averages correct: sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | bucket _time span=1m | stat avg(avg_sec)

Reply
Solved! Jump to solution

tuxford
Path Finder
‎08-02-2012 06:21 AM

Yes, I've tried a lot of different ways now limited success. Basically what I want is to create an average that spans 1 minute in a larger time range where the chart is shown in a good way. It might be that my time range is too large when using a span of 1 minute and it simply won't work?

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎08-02-2012 04:50 AM

Have you tried to modify the way charts deal with nulls? You might try "treat as zeros".

0 Karma
Reply
Solved! Jump to solution

tuxford
Path Finder
‎08-02-2012 03:52 AM

Still seeing some odd results, seems the results change depending on how long the time range is, if I use 4 hours I get peaks around 30 and when I use 24 hours I only get peaks around 12 so the average calculations seems to differ somehow.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...