Databases Reference
In-Depth Information
Calculating average requests per minute
If we take our previous queries and send the results through
stats
, we can calculate
the average events per minute, like this:
sourcetype=impl_splunk_gen
| timechart span=1m count
| stats avg(count) as "Average events per minute"
This gives us exactly one row:
Alternatively, we can use
bucket
to group events by minute, and
stats
to count
by each minute that has values, as shown in the following code:
sourcetype=impl_splunk_gen
| bucket span=1m _time
| stats count by _time
| stats avg(count) as "Average events per minute"
We are now presented with a much higher number:
Why? In this case, our fictitious server was down for about 10 hours. In our second
example, only minutes that actually had events were included in the results, because
stats
does not produce an event for every slice of time, as
timechart
does. To
illustrate this difference, look at the results of two queries:
sourcetype=impl_splunk_gen
| timechart span=1h count
This query produces the following table:
Search WWH ::
Custom Search