Comments and answers for "Incorrect per_second results on sparse data sets"
https://answers.splunk.com/answers/23237/incorrect-per-second-results-on-sparse-data-sets.html
The latest comments and answers for the question "Incorrect per_second results on sparse data sets"Comment by beaumaris on beaumaris's answer
https://answers.splunk.com/comments/23254/view.html
That does not seem to work - tried the more concise version and instead of the results being 2X the correct value, they are now 1/2X the correct value. I tried using sum() instead of avg() and does yield the correct value for this test dataset. Does that make sense, and if so do you think it will hold up on a much larger dataset over a longer TimeRange?Thu, 28 Apr 2011 02:53:42 GMTbeaumarisComment by gkanapathy on gkanapathy's answer
https://answers.splunk.com/comments/23250/view.html
I suppose I'm assuming that NumBytes comes out zero when there isn't a measurement, or your average will be off. If it's not the case, you might make it a zero by using `coalesce(NumBytes,0)`Thu, 28 Apr 2011 01:30:10 GMTgkanapathyAnswer by gkanapathy
https://answers.splunk.com/answering/23249/view.html
Yeah. per_second (and per_hour and per_minute) are kind of bad that way.
Since you know that your data is grouped per hour (hourly summary), and there's an equal number in every time interval, I'd just calculate your per second number and just display it instead of having `timechart per_second()` (fail to) compute it:
index="summary" report="bandwidth_by_service_hourly"
| stats sum(NumBytes) as TotalBytes by _time,Server
| eval TotalMbits=(TotalBytes*8)/1024/1024
| eval TotalMbitsPerSec=TotalMbits/3600
| timechart limit=0 avg(TotalMbitsPerSec) as TotalMBitsPerSec by Server
Or more concisely:
index="summary" report="bandwidth_by_service_hourly"
| timechart limit=0 avg(eval(NumBytes*8)/1024/1024/3600) as TotalMBitsPerSec by ServerThu, 28 Apr 2011 01:26:57 GMTgkanapathy