Hi,
I have to create a timechart where each point plotted is the average of the count of events in the last 20 minutes.
I have seen sma5(x) function, but that is fixed on the number or events, not a time span as I would like.
Any ideas?
Many thanks
If I'm following correctly, you want something like:
<your search> | timechart count span=1m | streamstats window=20 avg(count) as avgCount | fields _time avgCount
Say you run that search over the last 60 minutes. You'll get 60 results, where each row is a minute. And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per minute, during that minute and the 19 minutes preceding it.
Im sure there's a bunch of ways to do this with conditional eval
commands, and you might make some clever use of the per_minute()
function in timechart. However this use of timechart and streamstats seems simple enough.
If I'm following correctly, you want something like:
<your search> | timechart count span=1m | streamstats window=20 avg(count) as avgCount | fields _time avgCount
Say you run that search over the last 60 minutes. You'll get 60 results, where each row is a minute. And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per minute, during that minute and the 19 minutes preceding it.
Im sure there's a bunch of ways to do this with conditional eval
commands, and you might make some clever use of the per_minute()
function in timechart. However this use of timechart and streamstats seems simple enough.