timechart average of a sum

dinisco · ‎10-23-2012

I have a row for each host in my source data. I want to sum the values of two fields for all hosts and display on a chart. Since there are 4 entries for each host for each minute, that sum needs to be averaged as the chart stretches out over time. This attempt doesn't seem to be working. It seems to be averaging the fields for the hosts:

host=hostname* |stats sum(writes) as writes_sum, sum(reads) as reads_sum by host,_time |timechart avg(writes_sum), avg(reads_sum)

Not sure what I'm doing wrong, any ideas? Thanks.

Lucas_K · ‎10-23-2012

Any reason you don't just use the timechart avg directly?

host=hostname* |timechart avg(writes), avg(reads) by host

You can then adjust your bucket size if required.

edit: i re-read your question again.

would a "timechart per_minute(writes), per_minute(reads) by host" be what your after?

Lucas_K · ‎10-23-2012

So you want just read and write and don't care about hosts? (ie just the two fields?). If so then just leave the host off. The "by" command just separates it into series. Sorry im just not quite understanding the required output so im guessing 😞

dinisco · ‎10-23-2012

host=hostname* |timechart avg(writes), avg(reads) by host
does yield somewhat useful results and I already have it in place. But it's not what I'm after. With 6 hosts it generates 12 series on the graph. I want 2.

I think per_minute might work if my data didn't have an entry for every 15 secs.

timechart average of a sum

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio