Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

troublesome charting

tuxford
Path Finder
‎08-02-2012 03:41 AM

Hello

I have a chart that works for a time range of 60 minutes and looks like this:

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | chart avg(avg_sec) by date_minute

This gives me an average for each minute of that hour, I would like to do the same for longer time periods but are unable to find out how. If I extend the time range it sums the same minutes for each hour and makes an average of that instead of treating every minute of each hour as a separate entity. Anyone know a fix?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎08-02-2012 03:47 AM

You should use the timechart command

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0  | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎08-02-2012 03:47 AM

You should use the timechart command

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0  | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)
0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎08-02-2012 06:40 AM

The x axis can plot max 1000 points, and there are 1440 mins in a day. So it might be too wide. However, try to use "stats" to be sure you're getting the averages correct: sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | bucket _time span=1m | stat avg(avg_sec)

Reply
Solved! Jump to solution

tuxford
Path Finder
‎08-02-2012 06:21 AM

Yes, I've tried a lot of different ways now limited success. Basically what I want is to create an average that spans 1 minute in a larger time range where the chart is shown in a good way. It might be that my time range is too large when using a span of 1 minute and it simply won't work?

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎08-02-2012 04:50 AM

Have you tried to modify the way charts deal with nulls? You might try "treat as zeros".

0 Karma
Reply
Solved! Jump to solution

tuxford
Path Finder
‎08-02-2012 03:52 AM

Still seeing some odd results, seems the results change depending on how long the time range is, if I use 4 hours I get peaks around 30 and when I use 24 hours I only get peaks around 12 so the average calculations seems to differ somehow.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...