I have log entries that contain, among other things, fields called AcctID and exec_time. I have a user who wants to do, essentially:
sourcetype=statslog | timechart count, avg(exec_time) by AcctID
Since I know this to not be directly possible in 4.1, I went to the strategy laid out in http://www.splunk.com/base/Documentation/4.1.6/User/ReportOfMultipleDataSeries. My search ends up being:
host=*prod* sourcetype=statslog "exec=getSingleAvailability" exec_time > 0
| stats count as cnt, avg(exec_time) as avgexec by AcctID
| eval s1="count avgexec"
| makemv s1 | mvexpand s1
| eval yval=case(s1=="count",cnt,s1=="avgexec",avgexec) | eval series=AcctID+":"+s1
And I get results as expected, like:
AcctID cnt avgexec s1 series yval
1 7490728 23 391.826087 count 7490728:count 23
2 7490728 23 391.826087 avgexec 7490728:avgexec 391.826087
3 5459551 22 193.954545 count 5459551:count 22
4 5459551 22 193.954545 avgexec 5459551:avgexec 193.954545
But when I add the final | xyseries _time,series,yval to the search, I get "No results found"
What am I missing?
... View more
How can I get a count of events per second in a realtime search?
I can do something like this to get a rolling count on a realtime search with a 30 second window:
source=foobar.log host=*prod* PAYLOAD | stats count
But as soon as I add something like |eval eps=max(count/30) it all falls apart and eps doesn't seem to get updated.
For bonus points I'd like to display this in a single value panel with a rangemap...
... View more