topic Re: How to display count from last week and avg from last month on one timechart in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502365#M139844 <P>Thanks, but it doesn't work correctly. Displays only week_count result, but mon_avg_count is empty. If change function from avg to count for (eval(if(last_mon_flag=1,_raw,""))) I receive the same result as for count(eval(if(last_week_flag=1,_raw,""))). </P> Wed, 30 Sep 2020 05:28:09 GMT slipinski 2020-09-30T05:28:09Z How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502361#M139840 <P>I'm trying to plot count of errors from last week per day and daily average value from month. The result from query below gives me only result from Monday (other dayweeks are missing). What did I wrong?<BR /> avg(count) DailyCount Dayweek<BR /> 6903.6 3730 1 - Mon</P> <P>index="abc" sourcetype=alarms_log earliest=-30d@d latest=@d<BR /> | bucket _time span=1day<BR /> | stats count by _time | stats avg(count)<BR /> | join <BR /> [search index="abc" sourcetype=alarms_log earliest=-7d@d latest=-1d@d<BR /> | timechart span=1d count as DailyCount<BR /> | eval Dayweek=strftime(_time,"%w - %a") ]</P> <P>regards,<BR /> Szymon</P> Wed, 30 Sep 2020 05:30:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502361#M139840 slipinski 2020-09-30T05:30:02Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502362#M139841 <P><CODE>join</CODE> needs <CODE>field-name</CODE></P> <P>reference: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join</A></P> Mon, 18 May 2020 10:11:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502362#M139841 to4kawa 2020-05-18T10:11:27Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502363#M139842 <P>Thanks. This below gives me cycles per a weekday. Could you point me how to make 30 daily average as a reference point to daily data? I got now:</P> <P>Dayweek AvgPerDayWeek DailyCount<BR /> 1 - Mon 10402.75 3730<BR /> 2 - Tue 9209.75 3237<BR /> 3 - Wed 1073 3194<BR /> 4 - Thu 3688.75 13892</P> <P>and would like to have:<BR /> Format<BR /> Preview<BR /> Dayweek AvgPerDayWeek DailyCount<BR /> 1 - Mon 10340.32 3730<BR /> 2 - Tue 10340.32 3237<BR /> 3 - Wed 10340.32 3194<BR /> 4 - Thu 10340.32 13892</P> <P>Maybe subsearch together with eventstats command will be more useful?</P> <P>index="abc" sourcetype=alarms_log earliest=-30d@d latest=@d<BR /> | timechart count span=1d AS dailycount <BR /> | eval Dayweek=strftime(_time,"%w - %a")<BR /> | stats avg(dailycount) AS AvgPerDayWeek by Dayweek<BR /> | join Dayweek<BR /> [search index="abc" sourcetype=alarms_log earliest=-7d@d latest=-1d@d <BR /> | timechart span=1d count as DailyCount<BR /> | eval Dayweek=strftime(_time,"%w - %a") ]</P> Wed, 30 Sep 2020 05:30:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502363#M139842 slipinski 2020-09-30T05:30:09Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502364#M139843 <P>Don't use join, you will hit limits if the time window gets big enough and your granularity gets too small. Use some conditional logic instead</P> <PRE><CODE> index="abc" sourcetype=alarms_log earliest=-30d@d latest=@d | bucket _time span=1day | eval one_week_ago=now()-604800 | eval one_mon_ago=now()-2592000 | eval last_week_flag=if(_time&gt;one_week_ago,1,0) | eval last_mon_flag=if(_time&gt;one_mon_ago,1,0) | stats count(eval(if(last_week_flag=1,_raw,""))) AS week_count avg(eval(if(last_mon_flag=1,_raw,""))) AS mon_avg_count </CODE></PRE> Mon, 18 May 2020 14:40:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502364#M139843 skoelpin 2020-05-18T14:40:52Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502365#M139844 <P>Thanks, but it doesn't work correctly. Displays only week_count result, but mon_avg_count is empty. If change function from avg to count for (eval(if(last_mon_flag=1,_raw,""))) I receive the same result as for count(eval(if(last_week_flag=1,_raw,""))). </P> Wed, 30 Sep 2020 05:28:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502365#M139844 slipinski 2020-09-30T05:28:09Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502366#M139845 <P>Opps, we're aggregating on a text value of _raw. Try this</P> <PRE><CODE>index="abc" sourcetype=alarms_log earliest=-30d@d latest=@d | bucket _time span=1day | eval one_week_ago=now()-604800 | eval one_mon_ago=now()-2592000 | eval last_week_flag=if(_time&gt;one_week_ago,1,0) | stats count(eval(if(last_week_flag=1,_raw,""))) AS week_count by _time | eval last_mon_flag=if(_time&gt;one_mon_ago,1,0) | eventstats avg(eval(if(last_mon_flag=1,week_count,""))) AS mon_avg_count </CODE></PRE> Tue, 19 May 2020 15:51:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502366#M139845 skoelpin 2020-05-19T15:51:11Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502367#M139846 <PRE><CODE>| tstats count where index=_internal earliest=-30d@d latest=@d by _time span=1d | timewrap 1w | untable _time days count | eventstats avg(count) as monthly_avg avg(eval(if(days="latest_week",count,NULL))) as weekly_avg by _time | dedup monthly_avg weekly_avg | table _time monthly_avg weekly_avg </CODE></PRE> <P>It's easy to use <CODE>timwrap</CODE> and <CODE>untable</CODE></P> Tue, 19 May 2020 20:08:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502367#M139846 to4kawa 2020-05-19T20:08:51Z Re: How to display count from last week and avg from last month on one timechart https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502368#M139847 <P>Odd output <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Displays last_mon_flag instead mon_avg_count.</P> <P>_time week_count last_mon_flag<BR /> 1 2020-04-25 3 0<BR /> 2 2020-04-27 58 0<BR /> 3 2020-05-01 1 0<BR /> 4 2020-05-04 1 0<BR /> 5 2020-05-06 1 0<BR /> 6 2020-05-08 68 0<BR /> 7 2020-05-13 1 0<BR /> 8 2020-05-15 11 0<BR /> 9 2020-05-16 3 0<BR /> 10 2020-05-19 1 0</P> Wed, 30 Sep 2020 05:30:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-count-from-last-week-and-avg-from-last-month-on/m-p/502368#M139847 slipinski 2020-09-30T05:30:57Z