Hi,
I have this data this is retrieved once per hour (more or less on the hour) for the past 7 days.
readyArmed,32335,2018-02-15 12:01:38.646138 -5:00
armed,4743,2018-02-15 12:01:38.646138 -5:00
The first field is the armed state and the second field is the number of customers in that state at that time, the third field is the timestamp.
I've created a simple timechart graph showing the pattern and it looks like this. What I'd like to do is create a similar timechart graph that shows the minimum, maximum and averages of the same data over time.
index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum|eventstats max(sum) as max min(sum) as min avg(sum) as avg
based on previous comments, is something like this what you're needing?
Hi cmerriman,
Interesting idea doing the post processing with eventstats. I gave it a shot and here is what happened
Time period X
Sum Value=37604 (this is good)
Avg Value=41271 (looks good)
Max Value=60718 (looks good)
Min Value=25947 (looks good)
Here is where the trouble shows up
Time period Y
Sum Value=37418 (this is good)
Avg Value=41271 (identical to time period X - possible but very unlikely)
Max Value=60718 (identical to time period X - possible but very unlikely)
Min Value=25947 (identical to time period X - possible but very unlikely)
Time period Z
Sum Value=36751 (this is good)
Avg Value=41271 (identical to time period X & Y - possible but extremely unlikely)
Max Value=60718 (identical to time period X & Y - possible but extremely unlikely)
Min Value=25947 (identical to time period X & Y - possible but extremely unlikely)
can you give a sample output of what the data should look like? I thought you meant the overall max/min/avg of sum when you stated you needed to represent the avg of the sum, min of the sum, and max of the sum. i suppose you could use streamstats
instead of eventstats
, and that would be a moving min/max/avg.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats
If you just want the min/max/avg over the same period that your sum is over, this should work:
earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as sum, avg(field2) AS avg, min(field2) AS min, max(field2) AS max
Hi Michahkemp,
Thanks! its close but not quite and I wasn't clear so lemme try again.
I would like the sum of field 2 min, max and avg not just field2
are you wanting it by state? or are there other fields that you want min, max, avg of?
State can be armed or readyArmed, for this report they are essentially the same thing which is why I am summing the two values into one.
Once summed I need to represent the sum, the avg of the sum, the minimum of the sum, and the maximum of the sum
There are no other values in the data (I tried to keep in simple)
Oh sorry, should have included my query
earliest=-100hr index=blahalarm STATUS=armed OR STATUS=readyArmed|timechart span=1hr sum(field2) as ar