Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

troublesome charting

tuxford
Path Finder
‎08-02-2012 03:41 AM

Hello

I have a chart that works for a time range of 60 minutes and looks like this:

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | chart avg(avg_sec) by date_minute

This gives me an average for each minute of that hour, I would like to do the same for longer time periods but are unable to find out how. If I extend the time range it sums the same minutes for each hour and makes an average of that instead of treating every minute of each hour as a separate entity. Anyone know a fix?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎08-02-2012 03:47 AM

You should use the timechart command

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0  | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎08-02-2012 03:47 AM

You should use the timechart command

sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0  | eval avg_sec=other/1000 | timechart span=1m avg(avg_sec)
0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎08-02-2012 06:40 AM

The x axis can plot max 1000 points, and there are 1440 mins in a day. So it might be too wide. However, try to use "stats" to be sure you're getting the averages correct: sourcetype="access_combined" "*.html" OR ".ajax" NOT "/tomcat-docs/healthcheck.html" | where other>0 | eval avg_sec=other/1000 | bucket _time span=1m | stat avg(avg_sec)

Reply
Solved! Jump to solution

tuxford
Path Finder
‎08-02-2012 06:21 AM

Yes, I've tried a lot of different ways now limited success. Basically what I want is to create an average that spans 1 minute in a larger time range where the chart is shown in a good way. It might be that my time range is too large when using a span of 1 minute and it simply won't work?

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎08-02-2012 04:50 AM

Have you tried to modify the way charts deal with nulls? You might try "treat as zeros".

0 Karma
Reply
Solved! Jump to solution

tuxford
Path Finder
‎08-02-2012 03:52 AM

Still seeing some odd results, seems the results change depending on how long the time range is, if I use 4 hours I get peaks around 30 and when I use 24 hours I only get peaks around 12 so the average calculations seems to differ somehow.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...