Hi, I am tryng to calculate average of a group of events by calculating the difference between min and max timestamps and then dividing by count.
Split events by an ID
For each of these groups calculate time taken(by subtracting min timestamp from max timespamt)
Calculate avg for the time taken
I am using Timelion and splitting the events by an ID. However, I might be doing something wrong because this looks like it is creating multiple buckets. Here is my query:
It seems like you’re on the right track with your Timelion query, but the issue you’re encountering is due to the split function creating separate series for each context_id. To achieve a continuous line graph representing the average time taken for all events, you’ll need to aggregate the results of your calculations into a single series.
Here’s a revised version of your query that should help you get a continuous line graph:
This query will calculate the max and min timestamps for each context_id, subtract them to get the duration, divide by the count to get the average, and then use the .aggregate('avg') function to average these values across all context_id buckets.
Make sure to replace filebeat-* with the actual index pattern you’re using if it’s different. Also, adjust the split parameter if you need to analyze more or fewer context_id buckets.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
