https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660781#M54372 <P>I don't like to use the default time-related fields.</P><P>1. They don't have to be present</P><P>2. Quoting the docs:</P><P><STRONG>Note:</STRONG> Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.</P> Sat, 14 Oct 2023 12:31:26 GMT PickleRick 2023-10-14T12:31:26Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660697#M54364 <P>I am looking to create a chart showing the <STRONG>average</STRONG> daily total ingest by month in Terabytes excluding weekends over the past year. For some reason I am struggling with this. Any help getting me started would be appreciated.</P> Fri, 13 Oct 2023 16:55:34 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660697#M54364 scout29 2023-10-13T16:55:34Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660728#M54366 <P>Please define what you mean by "average daily ingest excluding weekends". Do you mean to sum only values from monday to friday and divide by 5 days weekly or do you want to sum values from whole 7 days and divide by 5 days or maybe sum values from 5 days and divide by 7 days? (of course extrapolated to your whole search timerange but I mean how do you wanna treat those weekends).</P> Fri, 13 Oct 2023 18:54:33 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660728#M54366 PickleRick 2023-10-13T18:54:33Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660734#M54367 <P>Im looking for the daily average for each month excluding weekends all together. So for example, for September, what was the average daily ingest for all days Monday through Friday.&nbsp;</P> Fri, 13 Oct 2023 19:09:02 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660734#M54367 scout29 2023-10-13T19:09:02Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660736#M54368 <P>OK. So if your June had 23 working days, you want only sum of the license usage during those 23 days divided by 23, right? You simply count as if the week was 5 days long and completely ignore existence of saturdays and sundays?</P><P>As you open the licensing report in search, you see something like this:</P><PRE>index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary"</PRE><P>I suppose if you have a distributed environment you might not have the localhost part but some other form of choosing indexers.</P><P>Anyway, since it's done right after midnight to calculate summarized amount of license used per day, the search behind the report substracts half a day (43200 seconds) from the _time field and then does binning over _time.</P><P>And that's pretty much it - the <STRONG>b</STRONG> field contains sum of bytes indexed.</P><P>Now you only have to filter out the saturdays/sundays (possibly with strftime) and do a stats avg and Robert is your father's brother.</P> Fri, 13 Oct 2023 19:41:33 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660736#M54368 PickleRick 2023-10-13T19:41:33Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660763#M54370 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261177">@scout29</a>&nbsp;,</P><P>only completing the perfect solution from&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;:</P><LI-CODE lang="markup">index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" NOT date_wday IN ("saturday", "monday") | stats avg(b) AS bytes BY date_month | eval TB= bytes/1024/1024/1024/1024</LI-CODE><P>if you want to exclude also holydays from your average, you have to create a lookup containing the holydays for the exclusion.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 14 Oct 2023 06:00:30 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660763#M54370 gcusello 2023-10-14T06:00:30Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660781#M54372 <P>I don't like to use the default time-related fields.</P><P>1. They don't have to be present</P><P>2. Quoting the docs:</P><P><STRONG>Note:</STRONG> Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.</P> Sat, 14 Oct 2023 12:31:26 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660781#M54372 PickleRick 2023-10-14T12:31:26Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660887#M54385 <P>So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the past year?</P> <LI-CODE lang="markup">index=_internal source=*license_usage.log* type="RolloverSummary" splunk_server=* NOT date_wday IN ("saturday", "sunday") | stats avg(b) AS bytes BY date_month | eval TB=(bytes/1024/1024/1024/1024)</LI-CODE> Mon, 16 Oct 2023 15:52:45 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660887#M54385 scout29 2023-10-16T15:52:45Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660888#M54386 <P>So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the past year?</P> <LI-CODE lang="markup">index=_internal source=*license_usage.log* type="RolloverSummary" splunk_server=* NOT date_wday IN ("saturday", "sunday") | stats avg(b) AS bytes BY date_month | eval TB=(bytes/1024/1024/1024/1024)</LI-CODE> Mon, 16 Oct 2023 15:52:14 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660888#M54386 scout29 2023-10-16T15:52:14Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660914#M54390 <P>Check your _internal index retention policy. If your index rolls to frozen in 30 days you simply don't have the events for a longer timespan.</P> Mon, 16 Oct 2023 17:12:42 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Average-Daily-Ingest-by-Month-Excluding-Weekends/m-p/660914#M54390 PickleRick 2023-10-16T17:12:42Z