- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Using mean(x) in summary search run every 5 minute...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - I need to calculate the mean(response time) for at complete month based on summary index.
The summary index search has to run every 5 minutes - selecting last 5 minutes of data.
The search will look like this: Search.... |sistats mean(response time) by xxx yyyy www ttt
The monthly report search will look like this: index=summary REPORT=MEANRESP|timechart span=1month mean(response time)
QUESTION: Will the search run on the summary index give the same result as if I made the search run on the actual transaction log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There will be some differences (magnitude depend upon the data) as there will be little rounding in mean calculation of summary indexes and subsequent mean calculation during data fetch from. See this runanywhere search example and compare the results.
SET 1
simulating summary index
| gentimes start=-1 | eval temp=mvrange(1,200,2) | table temp | mvexpand temp | eval data=temp+1 | bucket span=5s data | stats mean(temp) as temp by data | stats mean(temp) as temp
Direct calculation
| gentimes start=-1 | eval temp=mvrange(1,200,2) | table temp | mvexpand temp | eval data=temp+1 | stats mean(data) as temp
SET 2
simulating summary index
| gentimes start=-1 | eval temp=mvrange(2,200,2) | table temp | mvexpand temp | eval data=temp+1 | bucket span=5s data | stats mean(temp) as temp by data | stats mean(temp) as temp
Direct calculation
| gentimes start=-1 | eval temp=mvrange(2,200,2) | table temp | mvexpand temp | eval data=temp+1 | stats mean(data) as temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There will be some differences (magnitude depend upon the data) as there will be little rounding in mean calculation of summary indexes and subsequent mean calculation during data fetch from. See this runanywhere search example and compare the results.
SET 1
simulating summary index
| gentimes start=-1 | eval temp=mvrange(1,200,2) | table temp | mvexpand temp | eval data=temp+1 | bucket span=5s data | stats mean(temp) as temp by data | stats mean(temp) as temp
Direct calculation
| gentimes start=-1 | eval temp=mvrange(1,200,2) | table temp | mvexpand temp | eval data=temp+1 | stats mean(data) as temp
SET 2
simulating summary index
| gentimes start=-1 | eval temp=mvrange(2,200,2) | table temp | mvexpand temp | eval data=temp+1 | bucket span=5s data | stats mean(temp) as temp by data | stats mean(temp) as temp
Direct calculation
| gentimes start=-1 | eval temp=mvrange(2,200,2) | table temp | mvexpand temp | eval data=temp+1 | stats mean(data) as temp
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
