I'm trying to find the avg, min, and max values of a 7 day search over 1 minute spans.
For example:
index=apihits app=specificapp earliest=-7d
I want to find:
1. what is the max per minute
2. what is the avg per minute
3. what is the lowest per minute
I know it uses min(field), max(field) and avg(field), but for the life of me I can't get it to work. Can someone please tell me what I'm doing wrong?
Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.
index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg
Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count
Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.
index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg
Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count
My use case is to find the highest traffic per minute. Is this possible to find the time as well to identify when the spike in traffic happened ?
Hello,
And if I want to do so on a 7 day timechart (the max, min and avg value, for each day of the last 7 days)
How do I modify this request please ?
Moreover, the above solution (the first one) gives me a chart with only two columns :
max column
avg column
... but min is on absciss axis ans is not shown as a dedicated column.
I have to hover my mouse onto one of the columns to see the min value (or look in the table below)
Any idea ?
Thank you
Of course, that exactly what I left out, count by _time. Thanks for the help. My brain is just burnt for today.
index=apihits app=specificapp earliest=-7d |bucket _time span=1m|stats count as somename, avg(field) as AvgValue
min(field) as MinValue max(field) as MaxValue by somefield
Since you want it by minute, the key is bucket all data in per minute.
What have you tried so far? We can't say what you're doing wrong without knowing what you are doing.
This is what I was trying to do:
index=apihits app=specificapp earliest=-7d | bucket _time span=1min | stats count AS totalCalls, avg(totalCalls) AS AvgCallPerMin, min(totalCalls) AS MinCallsPerMin, max(totalCalls) AS MaxCallsPerMin