- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to get the average for multi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have results table like below. How can I combine these multivalues per each day such that need to get single value (average) for each day. Now we can see multiple values listed (since we have four servers, 4 values are displayed)
Below is the example we got the results
_time rtlvpxaw01
12/6/2015 -177.0167824
-268.4641204
-85.56944444
5.85474537
12/7/2015 100
12/8/2015 97.27893519
97.42939815
97.57986111
97.62962963
We have used this search:
index=f5 sourcetype=F5 server* F5_MonitorStatus="monitor status up"
| convert num(SiloDownHours)
| eval SiloDownHours = SiloDownHours * 3600
| convert num(SiloDownMins)
| eval SiloDownMins = SiloDownMins * 60
|convert num(SiloDownSecs)
| eval SiloDownTotal = (SiloDownSecs + SiloDownMins + SiloDownHours)/2
|streamstats sum(SiloDownTotal) as SiloDownTotal by F5_apache_host
|eval PercentUptime = ((86400 - SiloDownTotal)/86400*100)
|timechart span=1d values(PercentUptime) by server|fillnull value=100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I don't quite get your query because some special characters have been removed so in future please remember to post queries inside the code tags (simply use the button above with 1s and 0s when editing queries).
Anyway, if all your are trying to do is to calculate the average per day then the following should work:
| bucket _time span=1d
| stats avg(yourfield) by _time
You don't even need to use timechart for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just update the last timechart like this
|timechart span=1d avg(PercentUptime) by server | fillnull value=100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks , with some changes to the above one we got the results intended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I don't quite get your query because some special characters have been removed so in future please remember to post queries inside the code tags (simply use the button above with 1s and 0s when editing queries).
Anyway, if all your are trying to do is to calculate the average per day then the following should work:
| bucket _time span=1d
| stats avg(yourfield) by _time
You don't even need to use timechart for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, Sure will use going forward. Just come to know about code tags 🙂
This gives me results partially what we expected.
It gives us average value only for the days when server is down,but If server is not down then we need to show value for that particular day as 100.
(This was the reason we have used timechart command and used fillnull=100 when it doesn't return any value)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, then simply go back to timechart but use avg instead of values and then pipe that to your fillnull.
@somesoni2 provided an answer below with that syntax I believe.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
