https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661391#M228349 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>.&nbsp;</P><P>I was running stats again to capture count which was already present in the data along with hour as mentioned by you</P><P>Here is final query :</P><LI-CODE lang="markup">index=summary_index_1d "value=Summary_test" app_name=abc HTTP_STATUS_CODE=2xx | eval current_day = strftime(now(), "%A") | eval log_day = strftime(_time, "%A") | eval day=strftime(_time, "%d")| eval dayOfWeek = strftime(_time, "%u") | where dayOfWeek &gt;=1 AND dayOfWeek &lt;= 5 | stats avg(count_value) by log_day,hour,day</LI-CODE><P>Let me know if any other changes are required on query which can improve its performance.&nbsp;<BR />Thanks Again.&nbsp;&nbsp;</P> Thu, 19 Oct 2023 14:24:18 GMT Tester237 2023-10-19T14:24:18Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661350#M228327 <P>Hi Team,&nbsp;</P><P>I'm using summary index for below requirement :<BR />1. Store daily counts of HTTP_Status_Code per hour for each of the application (app_name) on to daily summary index<BR />2. Once in a week, calculate the average for each app_name by hour, HTTP_STATUS_CODE for the stored values in daily summary index.&nbsp;<BR />3. This average values will be showed in dashboard widget.&nbsp;</P><P>But when I'm trying to calculate avg for the stored values, it isn't working. Below are the steps I'm following:</P><P>1. Pushing <STRONG>HTTP_Status_Code, _time,hour, day, app_name, count</STRONG> along with value "<STRONG>Summary_test</STRONG>" (for ease of filtering) to daily index named "<STRONG>summary_index_1d</STRONG>". Note : <EM>app_name</EM> is a extracted field. There are 25+ different values</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index="index" | fields HTTP_STATUS_CODE,app_name | eval HTTP_STATUS_CODE=case(like(HTTP_STATUS_CODE, "2__"),"2xx",like(HTTP_STATUS_CODE, "4__"),"4xx",like(HTTP_STATUS_CODE, "5__"),"5xx") | eval hour=strftime(_time, "%H") | eval day=strftime(_time, "%A") | bin _time span=1d | stats count by HTTP_STATUS_CODE,_time,hour,day,app_name | eval value="Summary_Test" | collect index=summary_index_1d </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>2. Retrieve data from summary index. its showing up the data pushed</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=summary_index_1d "value=Summary_Test"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;3. Now I want to calculate the average for previous 2 or 4 weekday data stored in summary index. I'm using below as reference&nbsp;<BR /><BR /><A href="https://community.splunk.com/t5/Splunk-Enterprise/How-to-Build-Average-of-Last-4-Monday-Current-day-vs-Today-in-a/m-p/657868/highlight/true#M17385" target="_blank" rel="noopener">https://community.splunk.com/t5/Splunk-Enterprise/How-to-Build-Average-of-Last-4-Monday-Current-day-vs-Today-in-a/m-p/657868/highlight/true#M17385</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Trying to perform avg on summary index stored values. But this fails index=summary_index_1d "value=Summary_Test" app_name=abc HTTP_STATUS_CODE=2xx | eval current_day = strftime(now(), "%A") | eval log_day = strftime(_time, "%A") | eval hour=strftime(_time, "%H") | eval day=strftime(_time, "%d")| eval dayOfWeek = strftime(_time, "%u") | where dayOfWeek &gt;=1 AND dayOfWeek &lt;= 5 | stats count as value by hour log_day day | sort log_day, hour | stats avg(value) as average by log_day,hour</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><BR />I guess the "hour" in the query is creating conflict. I tried without it and also by changing the values, but not returning expected result. When the same query is used on main index, it works perfectly fine for my requirement. But when used on summary index, its not able to calculate the average.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">This works fine for the requirement. But when same is applied on "Summary index", it fails index=index app_name=abc | eval HTTP_STATUS_CODE=case(like(status, "2__"),"2xx") | eval current_day = strftime(now(), "%A") | eval log_day = strftime(_time, "%A") | eval hour=strftime(_time, "%H") | eval day=strftime(_time, "%d")| eval dayOfWeek = strftime(_time, "%u") | where dayOfWeek &gt;=1 AND dayOfWeek &lt;= 5 | stats count as value by hour log_day day | sort log_day, hour | stats avg(value) as average by log_day,hour</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><BR /><BR />Can you please help me understand what's wrong with query used on summary index ?&nbsp;<BR /><BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901" target="_blank" rel="noopener">@yuanliu</A><SPAN>&nbsp;</SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231989">@smurf</a>&nbsp;&nbsp;</P> Thu, 19 Oct 2023 11:25:26 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661350#M228327 Tester237 2023-10-19T11:25:26Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661357#M228333 <P>Perhaps it is this line?</P><LI-CODE lang="markup">| eval hour=strftime(_time, "%H")</LI-CODE><P>The _time value here will be the time for the start of the day when the summary index was updated i.e. the hour will always be 00</P> Thu, 19 Oct 2023 11:55:52 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661357#M228333 ITWhisperer 2023-10-19T11:55:52Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661373#M228341 <P>Yes. This is the one. In results, just 00 is being listed in hour column.&nbsp;<BR /><BR />how can this be resolved to achieve results similar to main index ?&nbsp;</P> Thu, 19 Oct 2023 13:10:48 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661373#M228341 Tester237 2023-10-19T13:10:48Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661375#M228343 <P>Try removing the line - hour should already be coming through from the summary index</P> Thu, 19 Oct 2023 13:41:02 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661375#M228343 ITWhisperer 2023-10-19T13:41:02Z https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661391#M228349 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>.&nbsp;</P><P>I was running stats again to capture count which was already present in the data along with hour as mentioned by you</P><P>Here is final query :</P><LI-CODE lang="markup">index=summary_index_1d "value=Summary_test" app_name=abc HTTP_STATUS_CODE=2xx | eval current_day = strftime(now(), "%A") | eval log_day = strftime(_time, "%A") | eval day=strftime(_time, "%d")| eval dayOfWeek = strftime(_time, "%u") | where dayOfWeek &gt;=1 AND dayOfWeek &lt;= 5 | stats avg(count_value) by log_day,hour,day</LI-CODE><P>Let me know if any other changes are required on query which can improve its performance.&nbsp;<BR />Thanks Again.&nbsp;&nbsp;</P> Thu, 19 Oct 2023 14:24:18 GMT https://community.splunk.com/t5/Splunk-Search/Summary-Index-To-calculate-weekly-average/m-p/661391#M228349 Tester237 2023-10-19T14:24:18Z