Hi
I have the following search which displays the Average of a field, but I am trying to put a time chart in hourly which shows the average of that particular hour.
…..My Search……|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | stats count by amount | where amount > 0 | stats avg(amount) as average
How to modify my search to display the hourly average count?
Any help or Suggestions?
You could use this:
... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc
This will count the events per hour and the number of different amount
values to then compute the average.
Alternatively, you could do this:
... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average
Note, I've changed avg(amount)
to avg(count)
, not sure if that was intentional in your question or not.
It sounds like all you want is:
... My Search ...|rex "<Total_Amount_Due>(?<amount>\d+.\d+)</Total_Amount_Due>" | timechart span=1h avg(amount)
You could use this:
... | rex ... | timechart span=1h count dc(amount) as dc | eval average = count / dc | fields - count dc
This will count the events per hour and the number of different amount
values to then compute the average.
Alternatively, you could do this:
... | rex ... | bin span=1h _time | stats count by _time amount | timechart span=1h avg(count) as average
Note, I've changed avg(amount)
to avg(count)
, not sure if that was intentional in your question or not.
Hi everything seems good but it was giving the wrong average.
If both don't produce results you like then please do post sample data along with intended results.
Thanks Martin both searches worked great my mistake.
Try to use Martin's 2nd query with avg(amount) in the timechart.