https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188053#M54171 <P>Getting started with stats, eventstats and streamstats may be what you are looking for.</P> <P><A href="http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/">http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/</A></P> <P>If that does not help more info will be needed.</P> Tue, 19 May 2015 19:43:48 GMT thomrs 2015-05-19T19:43:48Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188050#M54168 <P>Hi Sir:</P> <P>The first query I calculate the daily amount, calculated after the date +7 days, the average amount of 5/9 to 5/16, the field name is Totalweekqty, Totalweekqty still calculate the number of the day. How do i make |search now &lt; week| or | where now &lt; month | working? Thank you.</P> <P>sourcetype=xxx PartNo=123 VendorCode=1000 storage_in_date=2014-05-09* <BR /> | eval Indate = substr(storage_in_date, 1, len(storage_in_date)-13)<BR /> | eval now = strptime(Indate, "%Y-%m-%d") <BR /> |eval week=(now+604800) <BR /> |eval month=(now+2592000) <BR /> | stats sum(qty) as Totaldayqty values(now) as now values(week) as week values(month) as month by VendorCode,PartNo<BR /><BR /> |search now &lt; week <BR /> | stats values(Totaldayqty) as Totaldayqty avg(Totaldayqty) as Totalweekqty values(now) as now values(week) as week values(month) as month by VendorCode,PartNo<BR /><BR /> | where now &lt; month | stats values(Totaldayqty) as Totaldayqty values(Totalweekqty) as Totalweekqty avg(Totalweekqty) as Totalmonthkqty by VendorCode,PartNo |</P> Mon, 28 Sep 2020 19:54:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188050#M54168 chengyu 2020-09-28T19:54:05Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188051#M54169 <P>Hi,</P> <P>As you are constructing week and month from now, following case will be always true</P> <P>now &lt; week &lt; month</P> <P>Also, for all the events, you will get same values for now, week, and month.</P> <P>Can you please explain what is required? If possible, share some sample events and what is the expected output.</P> <P>Thanks!!</P> Thu, 14 May 2015 05:34:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188051#M54169 vganjare 2015-05-14T05:34:07Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188052#M54170 <P>You need to scrap everything after the first pipe ("|"), show us a few events from your base search, and then clearly explain what you are trying to accomplish. Your search makes no sense and there is not enough explanation to allow us to understand what you are trying to do.</P> Tue, 19 May 2015 15:13:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188052#M54170 woodcock 2015-05-19T15:13:04Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188053#M54171 <P>Getting started with stats, eventstats and streamstats may be what you are looking for.</P> <P><A href="http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/">http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/</A></P> <P>If that does not help more info will be needed.</P> Tue, 19 May 2015 19:43:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188053#M54171 thomrs 2015-05-19T19:43:48Z https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188054#M54172 <P>Hi Guys, finally use "delta" command, thank you everybody kindly support.</P> Wed, 20 May 2015 05:13:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-a-weekly-average-and-daily-total/m-p/188054#M54172 chengyu 2015-05-20T05:13:45Z