Splunk Search

time picker average if selected more than one day

VI371887
Path Finder

Hi All.

I need help regarding one my query, shown below

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart sum(PERCENT90) over FUNCTION by source

Now if i run this query over the 7 days period, ideally i should get day 1 SUM to day 7th SUM averaged by 7

for example
DAY 1 Day 2 Day 3 Day 5 Day 5 Day 6 Day 7
1 2 3 4 5 6 7

is should 28/7 which is 4 similarly if we add day 8 data as 8

result should be 36/8 which is 4.5

but what I am getting is for 7 days 28 and fro 8 day as 36 😞

Can anyone help me understand what i am missing..

Yes I could use avg(PERCENT90) but each Function field holds 2 to 3 values of ACTION their own which needs to be grouped under each function.

The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..

FUNCTION           |  HK        |              SG
 AGE                      |107.773 |           120.644
 CLT                       |49.206   |           37.6
 COM                     | 12         |           61.778
 RIO                       |56.803   |
 CONSULT            |               |             10.115

Now some of the function like COM has sub values which needs to be sum up..

so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

if I am using the belowquery

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
0 Karma

macadminrohit
Contributor

From what i can infer from your query , you should see results in this fashion :

FUNCTION DAY1 DAY2 DAY3 DAY4 DAY5 DAY6 DAY7
Fun1 3 4 5 6 7 8 9

If you are running the search over 7 days, then how is it calculating the average . From what i see it will calculate the sum for all the values of PERCENT90 field and show you in the chart fashion. Also does source has the values DAY1 DAY2 and so on ?

Can you show some sample data set ?

0 Karma

VI371887
Path Finder

Yes, it looks like below with above query

FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115

but if i am using time picker for 7 days i will be getting sum of AGE function 7 times

FUNCTION | HK | SG
AGE |754.411 | 844.508

I want to get the average instead of 107.773 x 7 & 120.644 x7 for all functions.

so if i use

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source

I get the desired result for function which have only one sub-value but if there's a function with more sub value it even averages the values under it for example :

function like COM has sub values which needs to be sum up..

so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

So requirement is sub-values under functions should be summed up only and not average and once they are summed up under Function for a particular day. Once achieved sum of sub-values under a function for the day i want to do a average of function's value by cities.

Function HK SG

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you get the right results when you use avg(PERCENT90) instead of sum(PERCENT90)?

---
If this reply helps you, Karma would be appreciated.
0 Karma

VI371887
Path Finder

Yes I could use avg(PERCENT90) but
each Function field holds 2 to 3
values of ACTION their own which needs
to be grouped under each function.

The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..

FUNCTION           |  HK        |              SG
 AGE                      |107.773 |           120.644
 CLT                       |49.206   |           37.6
 COM                     | 12         |           61.778
 RIO                       |56.803   |
 CONSULT            |               |             10.115

Now some of the function like COM has sub values which needs to be sum up..

so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

if I am using the belowquery

index=int_app  source="City_APP*"    FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...