Splunk Search

How to find the average, min, and max values per minute for a 7 day search?

tkwaller
Builder

I'm trying to find the avg, min, and max values of a 7 day search over 1 minute spans.

For example:

index=apihits app=specificapp earliest=-7d

I want to find:
1. what is the max per minute
2. what is the avg per minute
3. what is the lowest per minute

I know it uses min(field), max(field) and avg(field), but for the life of me I can't get it to work. Can someone please tell me what I'm doing wrong?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.

index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg 

Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this. Assuming you're looking for Avg Min and Max count per min for the 7 day period.

index=apihits app=specificapp earliest=-7d |bucket _time span=1m | stats count by _time | stats min(count) as min max(count) as min avg(count) as avg 

Idea is to use bucket to define time-part, use stats to generate count for each min (per min count) and then generate the stats from per min count

RemyaT
Explorer

My use case is to find the highest traffic per minute. Is this possible to find the time as well to identify when the spike in traffic happened ?

0 Karma

zebu14
Explorer

Hello,

And if I want to do so on a 7 day timechart (the max, min and avg value, for each day of the last 7 days)
How do I modify this request please ?

Moreover, the above solution (the first one) gives me a chart with only two columns :
max column
avg column
... but min is on absciss axis ans is not shown as a dedicated column.

I have to hover my mouse onto one of the columns to see the min value (or look in the table below)

Any idea ?

Thank you

0 Karma

tkwaller
Builder

Of course, that exactly what I left out, count by _time. Thanks for the help. My brain is just burnt for today.

0 Karma

jensonthottian
Contributor

index=apihits app=specificapp earliest=-7d |bucket _time span=1m|stats count as somename, avg(field) as AvgValue
min(field) as MinValue max(field) as MaxValue by somefield

Since you want it by minute, the key is bucket all data in per minute.

richgalloway
SplunkTrust
SplunkTrust

What have you tried so far? We can't say what you're doing wrong without knowing what you are doing.

---
If this reply helps you, Karma would be appreciated.

tkwaller
Builder

This is what I was trying to do:

index=apihits app=specificapp earliest=-7d | bucket _time span=1min | stats count AS totalCalls, avg(totalCalls) AS AvgCallPerMin, min(totalCalls) AS MinCallsPerMin, max(totalCalls) AS MaxCallsPerMin
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...