![]() ![]() You can hover over a wedge to see the average values. Click the Visualization tab and change the display to a pie chart.Įach wedge of the pie chart represents a duration for the event transactions.Use the field format option to enable number formatting.Because the duration is in seconds and you expect there to be many values, the search uses the span argument to bucket the duration into bins using logarithm with a base of 2. The avg() function is used to calculate the average number of events for each duration. In this search, the transactions are piped into the chart command. The eventcount field tracks the number of events in a single transaction. The transaction command adds two fields to the results duration and eventcount. Sourcetype=access_* status=200 action=purchase | transaction clientip maxspan=30m | chart avg(eventcount) by duration span=log2 ![]() Run the following search to create a chart to show the average number of events in a transaction based on the duration of the transaction. Use the time range All time when you run the search. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. This example uses the sample data from the Search Tutorial. | makeresults count=10000 | eval test=3.99 | stats avg(test) AS test | eval new_test=sigfig(test*1.00)Ĭhart the average number of events in a transaction, based on transaction duration. To return 2 decimal places, multiply by 1.00, as shown in the following example: If you want 4 decimal places returned, you would multiply the field name by 1.0000. To specify the number of decimal places you want returned, you multiply the field name by 1 and use zeros to specify the number of decimal places. The sigfig function cannot accept a field name that looks like another function, in this case avg. The sigfig function expects either a number or a field name. You need to change the name of the field avg(test) to remove the parenthesis. However, first you need to make a change to the stats command portion of the search. To mitigate this issue, you can use the sigfig function to specify the number of significant figures you want returned. This occurs because numbers are treated as double-precision floating-point numbers. | makeresults count=10000 | eval test=3.99 | stats avg(test) When the count is changed to 10000, the results are different: | makeresults count=100 | eval test=3.99 | stats avg(test) For example, the following search calculates the average of 100 values: There are situations where the results of a calculation can return a different accuracy to the very far right of the decimal point. | timechart eval(round(avg(cpu_seconds),2)) BY processor Extended examples Example 1 The following example displays a timechart of the average of cpu_seconds by processor, rounded to 2 decimal points. | chart eval(avg(size)/max(delay)) AS ratio BY host user The following example charts the ratio of the average (mean) "size" to the maximum "delay" for each distinct "host" and "user" pair. | bin _time span=5m | stats avg(thruput) BY _time host ![]() The following example returns the average "thruput" of each "host" for each 5 minute time span. ![]() The following example returns the average (mean) "size" for each distinct "host". You can use this function with the chart, mstats, stats, timechart, and tstats commands, and also with sparkline() charts.įor a list of the related statistical and charting commands that you can use with this function, see Statistical and charting functions. Returns the average of the values of the field specified. The function descriptions indicate which functions you can use with alphabetic strings.įor an overview, see statistical and charting functions. However, there are some functions that you can use with either alphabetic string fields or numeric fields. Most aggregate functions are used with numeric fields. Common aggregate functions include Average, Count, Minimum, Maximum, Standard Deviation, Sum, and Variance. Aggregate functions summarize the values from each event to create a single, meaningful value. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |