All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count based on a rolling average

akpadhi
Explorer
‎03-09-2021 05:32 AM

I have following query which provides me details of a db userid whenever the count crosses X value, however I want to modify this to a dynamic search based on a rolling average of that value for last 10 days. Can you pls help?

 

index=abc sourcetype=DBConnectionUsage  | spath cdb | spath pdb | spath application_user | search cdb=* pdb=* application_user = "*" cluster="E3"| bin span=30m _time| stats sum(connection_count) as connection_count by application_user, pdb | where connection_count >100

 

 

I want to modify the where condition to where connection_count > 'avg (conn count for last 10 days)'.

Labels (4)
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2021 01:13 AM

I presume you want time to be part of your stats and that the ten day average is for application_user and pdb.

index=abc sourcetype=DBConnectionUsage  
| spath cdb 
| spath pdb 
| spath application_user 
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=30m _time
| stats sum(connection_count) as connection_count by _time, application_user, pdb 
| streamstats time_window=10d avg(connection_count) as tendayavg by application_user, pdb
| where connection_count > tendayavg
0 Karma
Reply

akpadhi
Explorer
‎03-10-2021 03:09 AM

@ITWhisperer i am getting an error Error in 'streamstats' command: time_window can only be used on input that is sorted in time order (both ascending and descending order are ok).

tried few options nothing worked, can you pls cross check..

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2021 03:18 AM 
| stats ... by _time ...

should be sorting by _time for you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...