Solved: Re: Summary-Index: Is it possible to summary index...

hofer · ‎04-17-2015

So i got this report running all 15min and saving into my summary index:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms

Now there are 2 durations in an original event, one is the Message_DURATION_whole and one the Message_DURATION_part1.
I'd like to have both the averages (see search above) of them in my summary index event. These two fields are field extractions.
Is this possible or do I have to just add another report, which makes almost the same, but with the other duration?

Thank you very much

ngatchasandra · ‎04-17-2015

Hi hofer,

This is possible!

You will write your request like this:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms, avg(Message_DURATION_part1) AS ms2

View solution in original post

ngatchasandra · ‎04-17-2015

Hi hofer,

This is possible!

You will write your request like this:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms, avg(Message_DURATION_part1) AS ms2

juvetm · ‎04-17-2015

Hi
can you try to use the eval commad i think this may help o solve you problem

hofer · ‎04-20-2015

Thank you, ngatchasandra.
@juvetm, yes this is also possible, but unfortunately "eval" doesn't go with "avg". But for example a straight line, this works great.

Summary-Index: Is it possible to summary index the averages of two calculated fields in the same search?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!