How do I get average of a numeric series by every n seconds?
Performance Counter increasing sequentially, now I want number of every n second how many increases?
e.g.
S.No. ReadCount
1 4
2 10
3 14
4 19
5 24
6 34
7 35
8 38
9 42
10 49
11 54
12 60
13 64
14 66
15 68
I want to calculate average ReadCount
Based on your data, is this something you are looking for?
sourcetype="log_line" PROCINFO PROGRAM="PROCINFO" | streamstats current=f last(STATS_READ) as last_read | eval delta= last_read - STATS_READ | table _time, delta | bin _time span=1s | stats avg(delta) as increment by _time
_time increment
----------------------- ---------
2012-06-22 12:43:30.000 52.000000
2012-06-22 12:43:40.000 52.000000
2012-06-22 12:43:50.000 52.000000
2012-06-22 12:44:00.000 52.000000
2012-06-22 12:44:10.000 52.000000
2012-06-22 12:44:20.000 52.000000
2012-06-22 12:44:30.000 52.000000
2012-06-22 12:44:40.000 52.000000
2012-06-22 12:44:50.000 52.000000
2012-06-22 12:45:00.000 52.000000
2012-06-22 12:45:10.000 52.000000
2012-06-22 12:45:20.000 52.000000
2012-06-22 12:45:30.000 52.000000
2012-06-22 12:45:40.000 52.000000
2012-06-22 12:45:50.000
$
If you want to sum the delta, you will get the interval of your choice.
Sorry if I am misunderstanding your question...
Based on your data, is this something you are looking for?
sourcetype="log_line" PROCINFO PROGRAM="PROCINFO" | streamstats current=f last(STATS_READ) as last_read | eval delta= last_read - STATS_READ | table _time, delta | bin _time span=1s | stats avg(delta) as increment by _time
_time increment
----------------------- ---------
2012-06-22 12:43:30.000 52.000000
2012-06-22 12:43:40.000 52.000000
2012-06-22 12:43:50.000 52.000000
2012-06-22 12:44:00.000 52.000000
2012-06-22 12:44:10.000 52.000000
2012-06-22 12:44:20.000 52.000000
2012-06-22 12:44:30.000 52.000000
2012-06-22 12:44:40.000 52.000000
2012-06-22 12:44:50.000 52.000000
2012-06-22 12:45:00.000 52.000000
2012-06-22 12:45:10.000 52.000000
2012-06-22 12:45:20.000 52.000000
2012-06-22 12:45:30.000 52.000000
2012-06-22 12:45:40.000 52.000000
2012-06-22 12:45:50.000
$
If you want to sum the delta, you will get the interval of your choice.
Sorry if I am misunderstanding your question...
Yes exactly what I am looking 🙂
Thanks
Sorry but it's not working 😞
Here is complete search details
Query-1
sourcetype="log_line" PROCINFO PROGRAM="PROCINFO" earliest=06/22/2012:12:00:00 latest=now | table STATS_READ _time
Result
_time STATS_READ
1 6/22/12 12:45:50.500 PM 11251
2 6/22/12 12:45:40.453 PM 11199
3 6/22/12 12:45:30.437 PM 11147
4 6/22/12 12:45:20.437 PM 11095
5 6/22/12 12:45:10.422 PM 11043
6 6/22/12 12:45:00.422 PM 10991
7 6/22/12 12:44:50.422 PM 10939
8 6/22/12 12:44:40.422 PM 10887
9 6/22/12 12:44:30.390 PM 10835
10 6/22/12 12:44:20.390 PM 10783
11 6/22/12 12:44:10.375 PM 10731
12 6/22/12 12:44:00.359 PM 10679
13 6/22/12 12:43:50.344 PM 10627
14 6/22/12 12:43:40.312 PM 10575
15 6/22/12 12:43:30.297 PM 10523
Query-2
sourcetype="log_line" PROCINFO PROGRAM="PROCINFO" earliest=06/22/2012:12:00:00 latest=now | table STATS_READ _time | stats range(STATS_READ) as ReadCount by _time
Result
All ReadCount is 0
_time ReadCount
1 6/22/12 12:09:47.219 PM 0
2 6/22/12 12:09:57.234 PM 0
3 6/22/12 12:10:07.250 PM 0
4 6/22/12 12:10:17.250 PM 0
5 6/22/12 12:10:27.265 PM 0
6 6/22/12 12:10:37.281 PM 0
7 6/22/12 12:10:47.328 PM 0
8 6/22/12 12:10:57.344 PM 0
9 6/22/12 12:11:07.359 PM 0
10 6/22/12 12:11:17.375 PM 0
11 6/22/12 12:11:27.390 PM 0
12 6/22/12 12:11:37.422 PM 0
13 6/22/12 12:11:47.437 PM 0
14 6/22/12 12:11:57.453 PM 0
15 6/22/12 12:12:07.453 PM 0
Query-3
sourcetype="log_line" PROCINFO PROGRAM="PROCINFO" earliest=06/22/2012:12:00:00 latest=now | table STATS_READ _time | stats range(STATS_READ) as ReadCount by _time |
stats avg(ReadCount) as AerageCount
Result
No results found. Inspect ...
I tried with bucket _time span=10s also
Can you please tell me what I am doing wrong?
Thanks
Try this:
yoursearchhere |
bucket _time span=10s |
stats range(ReadCount) as RCrange by _time |
stats avg(RCrange) as averageReadCount
This is using a 10 second interval, but you could change the span to whatever you require.