Archive

How to calculate average for several prior observations and compare that to the current observation?

New Member

Lets say, i have a requirement to show hourly count of payments in a timechart-
And lets say today is Monday.

I will do-

index=payments sourcetype=xyz|timechart span=1h count

Now, i need to show comparative analysis to show how count of payments being observed today at every hourly interval trend up against previous 2 weeks Monday's. So basically additional comparison line showing average of data from previous 2 Mondays for the same time interval.

Eg- Today- Monday number of payments at 10am were 100.
Last week monday, number of payments at 10am were 50
Prior to that week Monday, number of payments at 10am were 10

So, value of 100 should show up in todays line chart and average of 50 and 10...which is 50+10/2=30 should up in second line on the same chart.

And this thing to be done for entire full day.(on hourly basis)

how to do, please advise, Thank you !

0 Karma

Builder

Try below logic -

index=payments sourcetype=xyz earliest=@d latest=now | eval day="today" | timechart span=1h count by day 
| append [ search index=payments sourcetype=xyz earliest=-7d latest=-6d | eval day="last week" | eval _time=_time + 604800 |timechart span=1h count by day ] 
| append [ search index=payments sourcetype=xyz earliest=-14d latest=-13d | eval day="2 weeks back" | eval _time=_time + 604800 * 2 |timechart span=1h count by day ]
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!