Solved: How to "stats avg(field1) by field2" and display t...

shantu · ‎08-24-2015

I'm working with Alert logs, which spit out log events only if certain SQL queries take longer than a threshold time. Each log event has two values of interest - QueryTime and SQLQuery. I'm extracting these fields.

I'd like to run a "top limit=50 SQLQuery showperc=f" and I'd like to add a column to show "avg(QueryTime) by SQLQuery". Can't figure out a way to do both in the same search. The end result should have the following headers:

SQLQuery avg(QueryTime) Count

acharlieh · ‎08-24-2015

You want the average times of the 50 most common sql queries? what if instead of top we make use of sort to sort by the count, and then limit our result set, keeping the average query times in tact like so:

... | stats count avg(QueryTime) by SQLQuery | sort 50 - count

View solution in original post

acharlieh · ‎08-24-2015

You want the average times of the 50 most common sql queries? what if instead of top we make use of sort to sort by the count, and then limit our result set, keeping the average query times in tact like so:

... | stats count avg(QueryTime) by SQLQuery | sort 50 - count

shantu · ‎08-24-2015

That worked as required. Thanks!

How to "stats avg(field1) by field2" and display that average in a top limit=20 field2 stats page

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM