Hi All.
I need help regarding one my query, shown below
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart sum(PERCENT90) over FUNCTION by source
Now if i run this query over the 7 days period, ideally i should get day 1 SUM to day 7th SUM averaged by 7
for example
DAY 1 Day 2 Day 3 Day 5 Day 5 Day 6 Day 7
1 2 3 4 5 6 7
is should 28/7 which is 4 similarly if we add day 8 data as 8
result should be 36/8 which is 4.5
but what I am getting is for 7 days 28 and fro 8 day as 36 😞
Can anyone help me understand what i am missing..
Yes I could use avg(PERCENT90) but each Function field holds 2 to 3 values of ACTION their own which needs to be grouped under each function.
The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
Now some of the function like COM has sub values which needs to be sum up..
so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6
so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3
if I am using the belowquery
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
From what i can infer from your query , you should see results in this fashion :
FUNCTION DAY1 DAY2 DAY3 DAY4 DAY5 DAY6 DAY7
Fun1 3 4 5 6 7 8 9
If you are running the search over 7 days, then how is it calculating the average . From what i see it will calculate the sum for all the values
of PERCENT90
field and show you in the chart fashion. Also does source
has the values DAY1
DAY2
and so on ?
Can you show some sample data set ?
Yes, it looks like below with above query
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
but if i am using time picker for 7 days i will be getting sum of AGE function 7 times
FUNCTION | HK | SG
AGE |754.411 | 844.508
I want to get the average instead of 107.773 x 7 & 120.644 x7 for all functions.
so if i use
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
I get the desired result for function which have only one sub-value but if there's a function with more sub value it even averages the values under it for example :
function like COM has sub values which needs to be sum up..
so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6
so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3
So requirement is sub-values under functions should be summed up only and not average and once they are summed up under Function for a particular day. Once achieved sum of sub-values under a function for the day i want to do a average of function's value by cities.
Function HK SG
Do you get the right results when you use avg(PERCENT90)
instead of sum(PERCENT90)
?
Yes I could use avg(PERCENT90) but
each Function field holds 2 to 3
values of ACTION their own which needs
to be grouped under each function.
The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
Now some of the function like COM has sub values which needs to be sum up..
so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6
so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3
if I am using the belowquery
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source