How can you search and display moving averages as ...

acemel · ‎12-20-2016

The search below produces a timechart with 8 sets (trends) of values (Efficiency), one trend for each of 8 positions labeled 1 to 8. The streamstats command adds 8 additional trends showing the moving average Efficiency for each of the 8 positions - AVG(1) to AVG(8).

index="8s_perf_mon" Machine= 5001 Position>=1 AND Position<=8
| timechart span=12h values(eval(if(Efficiency=0, null(),Efficiency))) by Position 
| streamstats AVG

I want to show only the 8 moving average trends so I added "|table AVG*" command as shown below. This removes trends 1-8 but shows only AVG(2) to AVG(8). AVG(1) ended up as the x-axis label of time. The AVG(2) to AVG(8) trends did not seem to change after removing trends 1-8.

index="8s_perf_mon" Machine= 5001 Position>=1 AND Position<=8
| timechart span=12h values(eval(if(Efficiency=0, null(),Efficiency))) by Position 
| streamstats AVG 
|table AVG*

Does anyone know why AVG(1) trend was left out and ended up as the x-axis? How can I display all 8 sets of moving averages as a function of time?

Thanks for any help!

somesoni2 · ‎12-20-2016

Your original query, before streamstats, was a timechart query with _time as first column (for x-axis) and 1-8 as trend columns. Using | table AVG* you're removing the _time field as well, hence the chart visualization is treating first column AVG(1) as x-axis value. Just include the _time as well in your table command

 index="8s_perf_mon" Machine= 5001 Position>=1 AND Position<=8
 | timechart span=12h values(eval(if(Efficiency=0, null(),Efficiency))) by Position 
 | streamstats AVG 
 |table _time AVG*

How can you search and display moving averages as a function of time?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor