https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517385#M145484 <P>Hello,</P><P>I'm trying to chart typical week of our web application users based on data from last 4 weeks. Idea is, roughly explained, that I would calculate sum of request group (login, user accounts, etc - already done) per day and then created some type of "7 day window" in which there would be (seen in a graph) only 7 days but each day would be average of that day from last month.</P><P>So in a graph there would be (for example in case of request_group='login'):</P><P>Monday - 10 - which si average of sum in all mondays (10, 10, 5, 15, 10)<BR />Tuesday - 8 - which is avg of sum in all tuesdays (8, 10, 6, 8, <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span><BR />...and so on up until Sunday</P><P>part of my search is:</P><P><STRONG>host "server" sourcetype="access_combined"</STRONG><BR /><STRONG>... some eval stuff ...</STRONG><BR /><STRONG>| fields _time request_group</STRONG><BR /><STRONG>... here should by magic calculating data ...</STRONG></P><P>Thank you in advance. I've already tried different approach using streamstats or timewrap, but nothing worked as I intended.</P> Wed, 02 Sep 2020 06:25:49 GMT JakubJ 2020-09-02T06:25:49Z https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517385#M145484 <P>Hello,</P><P>I'm trying to chart typical week of our web application users based on data from last 4 weeks. Idea is, roughly explained, that I would calculate sum of request group (login, user accounts, etc - already done) per day and then created some type of "7 day window" in which there would be (seen in a graph) only 7 days but each day would be average of that day from last month.</P><P>So in a graph there would be (for example in case of request_group='login'):</P><P>Monday - 10 - which si average of sum in all mondays (10, 10, 5, 15, 10)<BR />Tuesday - 8 - which is avg of sum in all tuesdays (8, 10, 6, 8, <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span><BR />...and so on up until Sunday</P><P>part of my search is:</P><P><STRONG>host "server" sourcetype="access_combined"</STRONG><BR /><STRONG>... some eval stuff ...</STRONG><BR /><STRONG>| fields _time request_group</STRONG><BR /><STRONG>... here should by magic calculating data ...</STRONG></P><P>Thank you in advance. I've already tried different approach using streamstats or timewrap, but nothing worked as I intended.</P> Wed, 02 Sep 2020 06:25:49 GMT https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517385#M145484 JakubJ 2020-09-02T06:25:49Z https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517394#M145489 <LI-CODE lang="markup">index=_internal sourcetype=splunkd_access | bin _time span=1d | stats count by date_wday,_time | stats avg(count) as average by date_wday</LI-CODE> Wed, 02 Sep 2020 06:42:17 GMT https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517394#M145489 thambisetty 2020-09-02T06:42:17Z https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517409#M145494 <P>please like my answer if it solves your problem.:)</P> Wed, 02 Sep 2020 07:14:29 GMT https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517409#M145494 thambisetty 2020-09-02T07:14:29Z https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517413#M145495 <P>thank you for your hint. I was able to include this into my search, so last part in my case looks like this:<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">host "server" sourcetype="access_combined" ... some eval stuff ... | fields date_wday _time request_group | search request_group!="other" | bin _time span=1d | stats count by date_wday,request_group,_time | chart avg(count) as prumer by date_wday,request_group | eval sort_field = case(date_wday=="monday", 1, date_wday=="tuesday", 2, date_wday=="wednesday", 3, date_wday=="thursday", 4, date_wday=="friday", 5, date_wday=="saturday", 6, date_wday=="sunday", 7) | sort 0 sort_field</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>sorting is based (coppied <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ) from <A href="https://community.splunk.com/t5/Splunk-Search/Days-in-Alphabetical-Order-but-need-to-be-in-day-order-Tried/td-p/150403" target="_blank">https://community.splunk.com/t5/Splunk-Search/Days-in-Alphabetical-Order-but-need-to-be-in-day-order-Tried/td-p/150403</A></P> Wed, 02 Sep 2020 07:38:01 GMT https://community.splunk.com/t5/Splunk-Search/typical-week-base-on-month-data/m-p/517413#M145495 JakubJ 2020-09-02T07:38:01Z