Splunk Search

How to change my stats avg(x) search to an hourly timechart ?

pavanae
Builder

Hi

I have the following search which displays the Average of a field, but I am trying to put a time chart in hourly which shows the average of that particular hour.

…..My Search……|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | stats count by amount | where amount > 0 | stats avg(amount) as average
How to modify my search to display the hourly average count?

Any help or Suggestions?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could use this:

... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc

This will count the events per hour and the number of different amount values to then compute the average.

Alternatively, you could do this:

... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average

Note, I've changed avg(amount) to avg(count), not sure if that was intentional in your question or not.

View solution in original post

tedwroks
Explorer

It sounds like all you want is:

... My Search ...|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | timechart span=1h avg(amount)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could use this:

... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc

This will count the events per hour and the number of different amount values to then compute the average.

Alternatively, you could do this:

... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average

Note, I've changed avg(amount) to avg(count), not sure if that was intentional in your question or not.

pavanae
Builder

Hi everything seems good but it was giving the wrong average.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If both don't produce results you like then please do post sample data along with intended results.

0 Karma

pavanae
Builder

Thanks Martin both searches worked great my mistake.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try to use Martin's 2nd query with avg(amount) in the timechart.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...