How to compare today events vs avg last week event...

christianubeda · ‎05-07-2019

Hi team!

I want to create an alert. I will compare today events vs lastweek avg events. If today is > 20%avgweek I will recibe an alert

This is my search right now but I can not obtain weekly average for every week.

index=* EventCode=5140 eventtype=wineventlog_security | timechart span=1d count as A | eventstats avg(A) as WeeklyAverage

Any suggestion?

koshyk · ‎05-07-2019

Is it something like below you expecting?

index=* EventCode=5140 eventtype=wineventlog_security  earliest=-30d
| timechart span=1d count as A 
| eventstats avg(A) as WeeklyAverage
| fields _time,WeeklyAverage
| timewrap 1week

christianubeda · ‎05-07-2019

First of all thank you for your response koshyk.

It did´t work. I always obtain the same number. I want to compare today events agaitns average last week events. If today event are >20 last week avg event I have to now.

_time WeeklyAverage_4weeks_before WeeklyAverage_3weeks_before WeeklyAverage_2weeks_before WeeklyAverage_1week_before WeeklyAverage_latest_week
2019-05-01 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-02 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-03 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-04 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-05 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-06 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646
2019-05-07 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646 14790.290322580646

How to compare today events vs avg last week events

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life