topic Re: Average alarms per reader over time in Splunk Search

Average alarms per reader over time

msage — Tue, 15 Jun 2021 15:14:43 GMT

A bit ago I submitted a question regarding how to get the average alarms per reader. So for example we have 100 alarms and 100 readers. That's on average 1 alarm per reader. With the help of the forum I got my answer but now I need to figure out how to get a trend of this search. I tried using a timechart but based on the way the search is built, it completely skews the results. Here's the search itself

Re: Average alarms per reader over time

yuanliu — Wed, 16 Jun 2021 04:14:01 GMT

@msage You want to illustrate what timechart command you have tried and what is the difference between actual result and expected results so others can understand the intended use case. The second stats command in the search you illustrated negates the groupby in the first, and the time bucket has no effect. The entire search can be collapsed as

index="index" EVDESCR="EVDESCR" | dedup EVENT_TIME | stats count as sum_count | eval result=sum_count / 220

If I speculate your intentions based on the subject line and the illustrated search, you have 220 readers (not 100); you want a single average value, nothing grouped by READER_DESC. This might be what you are asking for

index="index" EVDESCR="EVDESCR" | dedup EVENT_TIME | timechart span=1d count as average_alarms_per_reader | eval average_alarms_per_reader = average_alarms_per_reader / 220

Basically, count how many total alarms per day, and divide each count by 220.

Re: Average alarms per reader over time

msage — Thu, 17 Jun 2021 16:38:27 GMT

Hey @yuanliu basically what it was doing was getting the average of all the days by 220 rather than average of each day. However the search string you just provided seems to be the perfect solution for this.