Find average count per minute by a specific field ...

flls · ‎05-19-2017

Hi,

I have a web service's http access log and I want to find out the average request per minute for each url_path over the WHOLE period. A timechart of per minute average is not what I need.

I tried the following search query, but because during some minutes some url_path may not have events at all, and this search does not give the correct statistics.

sourcetype=accesslog | bucket _time span=1m | stats count by _time url_path | stats avg(count) as avg_per_min by url_path

This should be a very simple use case, but still cannot find a solution to that, could anyone help ?

woodcock · ‎05-20-2017

As @somesoni2 said, you probably have gaps where there are no events and these gaps will cause your math to be bad. You could do this work yourself with the makecontinuous command but one of the (many) nice things that timechart does is fill in 0 values for empty slots so try this:

sourcetype=accesslog 
| timechart limit=0 span=1m count BY url_path 
| untable _time sourcetype events_per_min
| stats avg(events_per_min) AS avg_per_min BY url_path

somesoni2 · ‎05-19-2017

Give this a try.

sourcetype=accesslog | stats count by url_path | addinfo | eval mins=(info_max_time-info_min_time)/60 | eval avepermin=count/mins

somesoni2 · ‎05-19-2017

The addinfo commands gives the current time range based on which total no of minutes are calculated.

Find average count per minute by a specific field over the whole time period

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms