Solved: Combining stats output with eval

brutecat · ‎06-22-2015

Some advice on something I would have thought to be easy.

I have a field called Elapsed. I want to calculate the number of events in a window of two hours, divide this count by 7200 (the number of seconds in 2 hours) and multiply this by the average value of Elapsed divided by 1000 over this two hours. I then want to send this evaluated result to a timechart. Here is my current search:

index=ediinter Elapsed>0 | bucket _time span=2h | stats avg(Elapsed) as Residence, count as Total |  eval queue=((Total/7200)*(Residence/1000)) |  timechart span=2h first(queue) as Queue

but this produces no results

What am I filtering out?

Thanks,

Stan

HiroshiSatoh · ‎06-22-2015

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

View solution in original post

HiroshiSatoh · ‎06-22-2015

timechart requires _time.

| stats avg(Elapsed) as Residence, count as Total | ->fields:Residence、Total
↓Is this a for good?
| stats avg(Elapsed) as Residence, count as Total by _time|

brutecat · ‎06-23-2015

Hi HiroshiSatoh,

Great. Thanks very much. I had assumed this was the default.

Regards,

Stan

Combining stats output with eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases