I've ended up wiriting this :
sourcetype=BatchLog name=OperationInsertionBatchJob entitiesProcessed > 0
| bucket _time span=day | stats sum(entitiesProcessed) AS totalEntitiesProcessed BY _time
| eval kTotalEntitiesProcessed = totalEntitiesProcessed / 1000
| eval _time = case(
_time >= relative_time(now(),"@d"), _time,
_time >= relative_time(now(),"@d-1mon"), relative_time(now(),"@d-1mon"),
_time >= relative_time(now(),"@d-2mon"), relative_time(now(),"@d-2mon"),
_time >= relative_time(now(),"@d-3mon"), relative_time(now(),"@d-3mon"),
_time >= relative_time(now(),"@d-4mon"), relative_time(now(),"@d-4mon"),
_time >= relative_time(now(),"@d-5mon"), relative_time(now(),"@d-5mon")
)
| timechart avg(kTotalEntitiesProcessed)
And I have what I wanted. For a related chart, I would like the average speed for the events. I've written this but I think the status sum is messing up the query. Can you explain me why ?
sourcetype=BatchLog name=OperationInsertionBatchJob entitiesProcessed > 0
| bucket _time span=day
| stats sum(entitiesProcessed) AS totalEntitiesProcessed sum(duration) AS totalDuration BY _time date
| eval timeStart = strptime(date, "%+")
| eval timeEnd = strptime(endDate, "%+")
| eval duration = timeEnd - timeStart
| eval _time = case(
_time >= relative_time(now(),"@d"), _time,
_time >= relative_time(now(),"@d-1mon"), relative_time(now(),"@d-1mon"),
_time >= relative_time(now(),"@d-2mon"), relative_time(now(),"@d-2mon"),
_time >= relative_time(now(),"@d-3mon"), relative_time(now(),"@d-3mon"),
_time >= relative_time(now(),"@d-4mon"), relative_time(now(),"@d-4mon"),
_time >= relative_time(now(),"@d-5mon"), relative_time(now(),"@d-5mon")
)
| eval speed = totalEntitiesProcessed / totalDuration | timechart avg(speed)
EDIT : after checking, the output average is wrong 😕
... View more