index="search_index" search processing_service | eval time_in_mins=('metric_value')/60| stats avg(time_in_mins) as channel_avg sum(time_in_mins) as total_mins count as total_count by channel|eventstats sum(total_mins) as total_mins sum(total_count) as total_count|eval all_channel_avg=total_mins/total_countĪgain, that might actually need some work, as i'm currently really thinking that the math might not be right. However, you might want to do a count and sum in the stats command and then the eventstats and some eval in order to not run eventstats before stats. If you'd like both the individual channel avg AND the total avg, possibly something like: index="search_index" search processing_service | eval time_in_mins=('metric_value')/60 |eventstats avg(time_in_mins) as total_avg| stats values(total_avg) as all_channel_avg avg(time_in_mins) as channel_avg by channel ![]() Which would just output one column named all_channel_avg and one row with the avg. stats count (srcgroup) AS srcgroup count (destgroup) AS destgroup BY group. eval groupcoalesce (srcgroup,destgroup) will give me only the srcgroup value and, in my example, discard C & Z. The chart command uses the second BY field, host, to split the results into separate columns. Hi, Unfortunately this is not what I want. This first BY field is referred to as the field.For each unique value in the status field, the results appear on a separate row. To use transaction, either call a transaction type (that you configured via nf ), or define transaction constraints in your search by setting the search. The transaction command yields groupings of events which can be used in reports. ![]() As stated in the comments, I believe what you're after is simply index="search_index" search processing_service | eval time_in_mins=('metric_value')/60 | stats avg(time_in_mins) as all_channel_avg The chart command uses the first BY field, status, to group the results. Search for transactions using the transaction command either in Splunk Web or at the CLI.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |