topic how do I get daily average over a month for all the pages I receive in Splunk Search

how do I get daily average over a month for all the pages I receive

vadud3 — Wed, 23 Jun 2010 04:54:42 GMT

I receive about say between 10 to 20 alerts per day. All these pages shows as an event in my splunk. How do I find out what is average number of events I received daily over a month

so I tried like this

| timechart span=30d count | eval average=count/30

does that look right?

so lets say I receive 10 alerts on day1, 9 alerts on day2 and 8 alerts on day3 .. and so on for a month. I like splunk to tell me something like 9 as the average number of alerts I receive daily over a month.

Thanks

Re: how do I get daily average over a month for all the pages I receive

Simeon — Wed, 23 Jun 2010 05:29:19 GMT

The best way to get statistics for this type of duration is to utilize a summary index:

http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing

That would allow you to do complete reporting across all the data over the whole month, on a daily basis.

Alternatively:

You could enable indexing of the $SPLUNK_HOME/var/log/splunk/scheduler.log file. This file logs when an alert is sent from the scheduler. You would need to find out the exact alert you are triggering. You can then report the total count over 30 days and use your eval statement as described.

Re: how do I get daily average over a month for all the pages I receive

gkanapathy — Wed, 23 Jun 2010 05:35:36 GMT

Probably easier to just use:

 ... | timechart span=1d count as dailycount | timechart span=1mon mean(dailycount)

which will work if you're dealing with partial months. (e.g., if today is the 22nd of the month and you run a report that goes over the last 60 days).

Re: how do I get daily average over a month for all the pages I receive

vadud3 — Thu, 24 Jun 2010 19:17:02 GMT

these alerts are not splunk related. for splunk they are just events.

Re: how do I get daily average over a month for all the pages I receive

jnichols914 — Wed, 19 Oct 2016 19:24:41 GMT

This is a bit old, but you can do this:

<your search here> | Stats avg(yourfield) by date_month,date_mday | sort date_mday

Re: how do I get daily average over a month for all the pages I receive

jlovik — Thu, 25 Mar 2021 19:27:52 GMT

Is there a way to remove any day where the specific event count is 0? I would like to remove any day where the logs did not import. The days with events 0 are throwing off my averages.