- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Incremental average over the time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkers!
As usual I'm learn from you.
I'd need to plot an "incremental average" over time, i mean to calculate the average value of a field considering a static starting point , but the ending period corresponding to the time value.
Example:
Starting point Jan-2016, value to be averaged is the "Application Availability" (AppAv)
On Jan-16 i need the Average of AppAv only for the month
On Feb-16 average calculation will have to consider values both for Jan and Feb
ON Mar-16 average calculation will have to consider values from Jan to March
... and so on and so forth
Any hints?
Tks!
Carmine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this !
<base_Search>
| timechart span=1mon avg(AppAv) as app_av_avg
| streamstats avg(app_av_avg) as cumulative_Avg
| eval month_year=strftime(_time, "%b %Y")
let me know if this helps !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this !
<base_Search>
| timechart span=1mon avg(AppAv) as app_av_avg
| streamstats avg(app_av_avg) as cumulative_Avg
| eval month_year=strftime(_time, "%b %Y")
let me know if this helps !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will give an average of averages, which is probably not really what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is fine, I just need to tune in this way
| timechart span=1mon **sum**(AppAv) as app_av_avg
| streamstats avg(app_av_avg) as cumulative_Avg
| eval month_year=strftime(_time, "%b %Y")
as far as need to evaluate AppAv on weekly basis.
Tks!
Carmine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you’re looking for streamstats.
Perhaps something like:
| timechart span=1mon count(AppAv) AS count, sum(AppAv) as sum_month
| streamstats sum(count) as cumulative_count, sum(sum_month) as cumulative_sum
| eval cumulative_average=cumulative_sum/cumulative_count
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
