topic Re: Event Count by Average Overtime in Splunk Search

Event Count by Average Overtime

TwitchyB — Thu, 01 Feb 2024 13:33:44 GMT

Hello, I'm starting out on my splunk journey and have been tasked with figuring out a dashboard for my executives. I created a layout for a dashboard and had the idea of creating a chart, but have been struggling with the logic.

What I'm looking to do is have a the count/average count over time by time so I have a chart of percentages of the day against their average thruput. I had a few ideas for the search but none seemed to work.

could someone give me some direction please on what I've gotten so far? (its definitely wrong)

index=*
| where index="Index 1" OR index="Index 2" OR index="Index 3"
| eval Count=sum(count(index)) / "something something something to get the average"
| timechartcount by Count

Re: Event Count by Average Overtime

scelikok — Wed, 31 Jan 2024 21:45:08 GMT

Hi @TwitchyB,

You can try below;

index="Index 1" OR index="Index 2" OR index="Index 3" | timechart count by index

Re: Event Count by Average Overtime

TwitchyB — Thu, 01 Feb 2024 13:32:32 GMT

Thank you for your reply. I've sort of gotten that far, but where I'm really struggling is trying to make each index their percentage of their respective thruput, sorry if I didn't clarify that in the question.

Re: Event Count by Average Overtime

yuanliu — Sat, 03 Feb 2024 00:38:32 GMT

Percentage as the sum of values in each time bucket?

index IN ("Index 1", "Index 2", "Index 3") | timechart count by index | addtotals | foreach * [eval <<FIELD>> = if(Total == 0, 0, <<FIELD>> / Total * 100)] | fields - Total

As @scelikok indicates, move index filter into index search is more efficient. (The above is an alternative syntax.)