Solved: Re: Graph to show averages for moving events over ...

ballyp · ‎04-24-2017

Hi I'm looking to create a graph to show the moving 'average time' for multiple events.

The initial search is :
index=wpap host=ukdc*-pc-apa* source="E:\LogFiles\NotificationsManager\Operations.log" | search "Notification Complete"

Within this events there is a key 'totalDuration=9563'

This duration is in seconds for the 'notification process to complete.

I would like to show the moving average for all 'Notification complete' events using the 'TotalDuration' time over a 5 minute period.

Please help!

DalJeanis · ‎04-24-2017

We just did this for a very similar case. https://answers.splunk.com/answers/522301/how-to-create-and-calculate-a-response-time-graph.html

Here's the version for splunk 6.4+...

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| streamstats time_window=5m avg(totalDuration) as avgDuration 
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Here's a version for earlier versions of splunk...

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| eval timefan=mvrange(0,300,10)
| stats avg(totalDuration) as avgDuration by _time
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Both of the above present the trailing 5-minute moving average for events from ten minutes ago to the present, in 10-second increments.

View solution in original post

DalJeanis · ‎04-24-2017

We just did this for a very similar case. https://answers.splunk.com/answers/522301/how-to-create-and-calculate-a-response-time-graph.html

Here's the version for splunk 6.4+...

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| streamstats time_window=5m avg(totalDuration) as avgDuration 
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Here's a version for earlier versions of splunk...

earliest=-16m@m
index=wpap host=ukdc*-pc-apa* 
source="E:\\LogFiles\\NotificationsManager\\Operations.log" 
"Notification Complete"
| bin _time span=10s
| stats avg(totalDuration) as totalDuration by _time
| eval timefan=mvrange(0,300,10)
| stats avg(totalDuration) as avgDuration by _time
| addinfo
| bin info_max_time as maxtime span=10s 
| where (_time >= info_min_time+300) and (_time < maxtime)
| timechart span=10s avg(avgDuration ) as avgDuration

Both of the above present the trailing 5-minute moving average for events from ten minutes ago to the present, in 10-second increments.

ballyp · ‎04-25-2017

thanks that's working great, I used the search just before the 'Where' parameter as it was showing 'null data'

Thanks this is just what I need to work with.

Paul

Graph to show averages for moving events over a particular period.

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...