https://community.splunk.com/t5/Splunk-Search/avg-of-number-of-events/m-p/64029#M15825 <P>Hi all, i need to count the event of today and compare with the average of the last month daily count by dest. I'm using a query like this that separate the ip's and now i have to show the average of count by the same dest</P> <P><CODE>eventtype="searchIPS1" DestinationIP!="N/A" Severity="Medium" |eval dest=case(DestinationIP=="1.1.1.1", "sshDMZ", DestinationIP=="1.1.1.2", "sshDMZ", (DestinationIP!="1.1.1.1" AND DestinationIP!="1.1.1.2"), "Others") | stats last(count) as today_count avg(count) as avg_count</CODE></P> <P>for example:</P> <P>dest | today_count | avg_count<BR /> sshDMZ | 8 | 5,67<BR /> others | 7 | 9,89</P> <P>thanks to all who can help me</P> Tue, 05 Oct 2010 22:46:52 GMT pinzer 2010-10-05T22:46:52Z https://community.splunk.com/t5/Splunk-Search/avg-of-number-of-events/m-p/64029#M15825 <P>Hi all, i need to count the event of today and compare with the average of the last month daily count by dest. I'm using a query like this that separate the ip's and now i have to show the average of count by the same dest</P> <P><CODE>eventtype="searchIPS1" DestinationIP!="N/A" Severity="Medium" |eval dest=case(DestinationIP=="1.1.1.1", "sshDMZ", DestinationIP=="1.1.1.2", "sshDMZ", (DestinationIP!="1.1.1.1" AND DestinationIP!="1.1.1.2"), "Others") | stats last(count) as today_count avg(count) as avg_count</CODE></P> <P>for example:</P> <P>dest | today_count | avg_count<BR /> sshDMZ | 8 | 5,67<BR /> others | 7 | 9,89</P> <P>thanks to all who can help me</P> Tue, 05 Oct 2010 22:46:52 GMT https://community.splunk.com/t5/Splunk-Search/avg-of-number-of-events/m-p/64029#M15825 pinzer 2010-10-05T22:46:52Z https://community.splunk.com/t5/Splunk-Search/avg-of-number-of-events/m-p/64030#M15826 <P>I spent quite a while finding how to do this myself. I think the following would do what you need:</P> <PRE><CODE>eventtype="searchIPS1" DestinationIP!="N/A" Severity="Medium" earliest=-30d@d latest=@d | eval dest=case(DestinationIP=="1.1.1.1", "sshDMZ", DestinationIP=="1.1.1.2", "sshDMZ", (DestinationIP!="1.1.1.1" AND DestinationIP!="1.1.1.2"), "Others") | bin _time span=1d | stats max(count) as PerDay by _time dest | stats avg(PerDay) as MonthlyAverage by dest | fields MonthlyAverage dest | join type=outer dest [search eventtype="searchIPS1" DestinationIP!="N/A" Severity="Medium" earliest=@d latest=now |eval dest=case(DestinationIP=="1.1.1.1", "sshDMZ", DestinationIP=="1.1.1.2", "sshDMZ", (DestinationIP!="1.1.1.1" AND DestinationIP!="1.1.1.2"), "Others") | bin _time span=1d | stats last(count) as Today by dest | fields Today dest ] </CODE></PRE> <P>Or generically: </P> <PRE><CODE>#YourSearchHere# earliest=-30d@d latest=@d | bin _time span=1d | stats #PerDayStats# as PerDay by _time #SplittingField# | stats avg(PerDay) as MonthlyAverage by #SplittingField# | fields MonthlyAverage #SplittingField# | join type=outer #SplittingField# [ search #YourSearchHere# earliest=@d latest=now | bin _time span=1d | stats #Today'sStats# as Today by #SplittingField# | fields Today #SplittingField# ] </CODE></PRE> <P>Essentially, the above does your search for the Monthly Average first, leaves only the two relevant fields (dest and MonthlyAverage), then joins it to a second search for Today's values, based on the dest.</P> <P>There are a couple of other ways to do it that have come up in Splunk Answers, so one of them may be better, but give the above a shot. </P> Wed, 06 Oct 2010 22:04:14 GMT https://community.splunk.com/t5/Splunk-Search/avg-of-number-of-events/m-p/64030#M15826 David 2010-10-06T22:04:14Z