This is probably quite simple and I am missing something..
i am using this search.
index=sxxx sourcetype=sxxx host=xyz source="C:\\mydata" |Dedup _time|table _time, host, username, SimulatorProcess, ProcessTime
I have the following search result
08/19/2019 16:44:34,136Z INFO user[XXXX] tid[ 1] [(null)]: ProcessSimulationResults took: 1.1204099 seconds
i did a field extraction to get the username, what the process is and the time. I would like to put these in a table and average them out. Search has 4 results but when i put into a table i get many null results.
what is the best way to display and average these out. Would also like to have a single display of the averages over day/week/month.
thanks!
Here's how to get the average processTime by user, host, and SimulatorProcess:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| stats avg(ProcessTime) as avgProcessTime by host, username, SimulatorProcess
| table host, username, SimulatorProcess, avgProcessTime
You can also do this over time:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts by SimulatorProcess
Here's how to get the average processTime by user, host, and SimulatorProcess:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| stats avg(ProcessTime) as avgProcessTime by host, username, SimulatorProcess
| table host, username, SimulatorProcess, avgProcessTime
You can also do this over time:
index=ixxx sourcetype=sxxx host=xyz source=xxx
| timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts by SimulatorProcess
Excellent.. Thank you for the assist.
Stats count by _Time, host, username, SimulatorProcess, ProcessTime gives me a good chart. Now to average