How to display mean of last 30 days count by time ...

ID_SplunkUser · ‎07-10-2016

I need to display mean of last 30 days request received count over a chart at the interval of 5 minutes. Chart X-axis should display time from Midnight to Midnight. And Y-axis should display the count number.
For ex: at 10:00 am how many request received in last 30 days, calculate the mean and display it.
I tried using "timechart", but if I try to calculate for last 30 days, the X-axis shows days for 30 minutes.

|timechart span=15m sum(RequestCount) as count

martin_mueller · ‎07-17-2016

Depending on what you actually are looking for, this might help:

... | bin span=5m _time | stats sum(RequestCount) as count by _time | eval slot = strftime(_time, "%H:%M") | stats mean(count) by slot

That will compute the sum for each five-minute interval, and then compute the mean for each time-of-day slot. Run over the last 30 days.

Richfez · ‎07-11-2016

timechart's behavior can be altered by the optional parameter bins=N. In order to show a 5 minute interval for 30 days, you need 30 days times 24 hours each day times 12 intervals per hour, or 8640 points. One note: bins is a "maximum" setting, so you can set it a little higher than you need just to make sure a leap second didn't pop in there or something.

... | timechart bins=9000 sum(RequestCount) as count

By the way, can your monitor display 8640 points? If it can't - if it's X resolution is 1920 and not 8640, well, it's useless to display so many. You may only get ~1800 or so.

How to display mean of last 30 days count by time from Midnight to next midnight over chart

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...