How to write a rex to get daily average for time r...

sphiwee · ‎08-01-2022

| rex "^(?\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?[^\]]*)\]\s*\[(?[^\]]*)\]\s*\[(?[^\]]*)\]\s*[^\[]+\s\[(?[^\]]+)" | search Log_level="ERROR" | where Process != "" | stats count AS ERRORS by Process | sort - count asc

i have above query to help get ERROR count of our processes, but I want to get the daily average of the number of errors generated by each process between a certain time interval.. lets say from 6am to 6pm from monday to friday, How can I achieve this

ITWhisperer · ‎08-01-2022

It is not entirely clear what this search is doing. For example, the rex is not extracting any fields.

Assuming you have _time extracted correctly, you can determine the hour, restrict that to 6am to 6pm, then count by day and process

| search Log_level="ERROR"
| where Process != ""
| eval hour=strftime(_time,"%H")
| where hour >= 6 AND hour < 18
| eval day=strftime(_time,"%w")
| where day >= 1 AND day <= 5
| bin _time span=1d
| stats count AS ERRORS by _time Process
| sort 0 _time count

sphiwee · ‎08-01-2022

Hi thanks, but this query only brings back total results per process and not the average

ITWhisperer · ‎08-01-2022

| stats avg(ERRORS) by Process

How to write a rex to get daily average for time range?

other

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?