display running average with autoregress?

Question

I am attempting to calculate a running average with autoregress for a count of errors across a group of servers. I'm using the following query to get the data in 5-minute slices

index="monitoring" ServerErrors  | timechart span=5m sum(ServerErrors)

How would I get a running average of the last four hours of the values generated here? Do I want to use something like

| autogregress p1-48

My experience here is very limited, so I'm certain there is much I don't know about what's going on here.

Accepted Answer

0

I'd go this route:

index="monitoring" ServerErrors 
       | timechart span=5m sum(ServerErrors) as Error5MinSum 
       | streamstats avg(Error5MinSum) window=48

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

link

answered 10 Mar '11, 22:05

David
2.2k●1●3●20
accept rate: 46%

Thanks. This provided the kind of information I wanted.

(10 Mar '11, 23:49) dang

display running average with autoregress?

Follow this question

Splunk Resources

Related questions