Solved: avg(count) not working in timechart?

tfitzgerald15 · ‎10-11-2013

I'm trying to chart the average count over a 24 hour span on a timechart, and it's just not working. The RegEx I'm using is pretty simple, so I'll admit I feel a little less than proud I can't get this to work.

... | timechart span=24h avg(count)

The goal is to create a chart where I get a line that y=avg(count), where the avg(count) is the average of all values over the past 24 hours. However, when I do this, it's giving me the time properly, but under the "avg(count)" field in the table, the fields are blank/null, and the chart creates without a line, but with avg(count) in the legend.

I'm planning on using this as a piece of a larger project, the rest of which I've successfully set up. This is the last peice of the puzzle.

Thanks!

twinspop · ‎10-11-2013

Can you confirm you have a 'count' field in your results? Use the field picker on the left to see if it appears in your results. And if it appears as a number. My guess would be one of these 2 conditions are not being met. Can you post a log sample and your field extraction, if applicable?

Using logs in my system that have 'count=X' in them, I can run your timechart command with expected results.

sourcetype=dbjobs EVENTQ.QUEUE_DEPTH | timechart span=24h avg(count)

The logs look like this:

Oct 11 11:14:51 db=xxxxx Source=EVENTQ.QUEUE_DEPTH Table=Table1 count=23

View solution in original post

tfitzgerald15 · ‎10-11-2013

Count is literally just the number of hits. It works fine when I do "| timechart count", and provides me with a chart of how many logs match my search criteria over the designated time frame.

twinspop · ‎10-11-2013

Can you confirm you have a 'count' field in your results? Use the field picker on the left to see if it appears in your results. And if it appears as a number. My guess would be one of these 2 conditions are not being met. Can you post a log sample and your field extraction, if applicable?

Using logs in my system that have 'count=X' in them, I can run your timechart command with expected results.

sourcetype=dbjobs EVENTQ.QUEUE_DEPTH | timechart span=24h avg(count)

The logs look like this:

Oct 11 11:14:51 db=xxxxx Source=EVENTQ.QUEUE_DEPTH Table=Table1 count=23

twinspop · ‎10-11-2013

timechart span=24h count

tfitzgerald15 · ‎10-11-2013

Count is literally just the number of hits. It works fine when I do "| timechart count", and provides me with a chart of how many logs match my search criteria over the designated time frame.

However, it doesn't exist in my logs themselves, but it's worked for everything else. Is there another command/term for "Number of Logs"? That's really all I'm looking to get here.

zeroactive · ‎10-11-2013

avg(count) will give you an average of the number of raw events, but you have to do some additional work with "bucket" and "streamstats". See http://answers.splunk.com/answers/79026/average-count-by-day for more info on that.

If you want the average of a field, then you'll need to do "avg(fieldname)" to get the average of that value. This sounds like what you want to do, but it's a bit hard to tell exactly what given the way you formatted the query. And few example lines of data and the field name you want to average will go along way to help us help you.

avg(count) not working in timechart?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!