Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add a column with count stats in addition to an existing column with avarage stats

piefragnisp
Explorer
‎03-16-2020 05:06 AM

I have a json file with some information regarding soa requests. Basically info such as callee, caller, start and end timestamp of a request (write me if you want more details).

By the way I have a splunk-query to group all the events by the callee and calculate the average duration of the difference between end and start timestamp.

Something like this:

| tstats values where index=my_index by callee, timestampStart, timestampEnd  | eval duration= round((strptime(timestampEnd  , "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(timestampStart, "%Y-%m-%dT%H:%M:%S.%6N%Z")),2)| stats avg(duration) as duration by callee| eval duration=round(duration,2) |table callee, duration

In addition to the avarage duration I would also add a column with the count of all events regarding that callee but (if I understand well) I can do this only with a Tstats count.

Any ideas?

Thank a lot

Tags (2)
0 Karma
Reply

manjunathmeti
Champion
‎03-16-2020 08:55 AM

Hi @piefragnisp,

Try this:

| tstats values where index=my_index by callee, timestampStart, timestampEnd 
| eval duration= round((strptime(timestampEnd , "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(timestampStart, "%Y-%m-%dT%H:%M:%S.%6N%Z")),2) 
| stats avg(duration) as duration by callee 
| eval duration=round(duration,2) 
| append 
    [| tstats count where index=my_index by callee] 
| stats values(*) by * by callee 
| table callee, duration, count
0 Karma
Reply

piefragnisp
Explorer
‎03-16-2020 06:38 AM

@to4kawa just tried but seems not wotking

| tstats values where index=my_index by callee, timestampStart, timestampEnd  | eval duration = (strptime(timestampEnd, "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(timestampStart, "%Y-%m-%dT%H:%M:%S.%6N%Z")) | stats avg(duration) as duration by callee | eval duration=round(duration,2)  | append [| tstats count where index=my_index by callee]

In addition I've tried this

| tstats values where index=my_index by callee,caller,  timestampStart, timestampEnd | eval duration = round((strptime(termine, "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(inizio, "%Y-%m-%dT%H:%M:%S.%6N%Z")),2)| stats avg(duration) as duration , count(callee) as total by callee | eval duration=round(duration,2) | table callee, caller, duration, total

and seems working

0 Karma
Reply

to4kawa
Ultra Champion
‎03-16-2020 01:38 PM

good job, accept your answer.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-16-2020 05:30 AM

tstats is fast.

....
| append [| tstats count where index=my_index by callee]
| stats values(duration) as duration by callee

how about this?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...