Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use timechart command to calculate the average of a field?

chengyu
Path Finder
‎02-07-2017 04:52 PM

My raw data:

Feb  7 18:18:23 impact 1 Gbps/137.54 Kpps, importance 2...
Feb  7 18:18:23 impact 3600 Mbps/137.54 Kpps, importance 2...

I want use timechart search command calculate avg(1Gbps & 3600Mbps) by week or month. Now i use rex to extract field 1G and 3600Mbps values but the field name is same. i wish to change 3600Mbps to Gbps then run timechart avg(field). What should i do? Thanks.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chengyu
Path Finder
‎02-07-2017 10:00 PM

Hi Sir, data is 1 Gbps/137.54 Kpps or 3600 Mbps/137.54 Kpps, i want calculate 1Gbps & 3600 Mbps avg value, not Kpps value. So i can use rex extract field capture 1 and 3600 value and call field name "bandwidth", but 3600 need transfer to gigabyte, finally use splunk command "timechart sapn=1mon avg(bandwidth)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chengyu
Path Finder
‎02-07-2017 10:00 PM

Hi Sir, data is 1 Gbps/137.54 Kpps or 3600 Mbps/137.54 Kpps, i want calculate 1Gbps & 3600 Mbps avg value, not Kpps value. So i can use rex extract field capture 1 and 3600 value and call field name "bandwidth", but 3600 need transfer to gigabyte, finally use splunk command "timechart sapn=1mon avg(bandwidth)"

0 Karma
Reply
Solved! Jump to solution

mpreddy
Communicator
‎02-07-2017 11:07 PM 
If you were able to extract field  bandwidth 1 and 3600 then extract or split another field called type  Gbps and Mbps and use If condition type = Gbps  then bandwidth/1000 else bandwidth and then use timechart for average.
0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎02-13-2017 07:47 PM

myserarch ... |table bandwidth,_time | rex field=bandwidth "^(?P\d+.\d+)\s(?P\w+)$" | eval Unit=case(Unit="Gbps",1024,true(),1) | eval InGbps=(Value*Unit)/1024 |eval InGbps=round(InGbps,2) | timechart span=1d max(InGbps) as MaxGbps avg(InGbps) as AvgGbps

extract fields :
1.04 Gbps
384.05 Mbps
5.01 Gbps
...

0 Karma
Reply
Solved! Jump to solution

mpreddy
Communicator
‎02-07-2017 05:43 PM

try like this:

base query |rex "impact\s(?<bandwidth>.*)/(?<mbps>.\d+.\d+)"  |timechart span=1mon avg(mbps) as avg by bandwidth
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-07-2017 05:05 PM

Can you share your current search that you've so far?

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...