Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Columns split by Sum and Average over _time

glancaster
Path Finder
‎05-30-2014 07:28 AM

Hello all,

I am having a terrible time trying to get this logic correct and maybe someone can chime in to help a bit.

I would like the sum of searches per day of all users split by the avg number of searches by user over 90 days but I can't seem to work it out just right. I am able to post the average of the total search across the chart but not the daily average. 

index=_audit host=search-* earliest=-90d latest=-1d  search_id!=scheduler_* 
| bucket _time span=1d 
|stats count by _time 
| eventstats avg(count) as SearchAVG

Any help is appreciated. Thank you!

https://drive.google.com/file/d/0B7c2Ap0cICFka243RFlqeTVRVlU/edit?usp=sharing

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-30-2014 07:55 AM

Try this

index=_audit host=search-* earliest=-90d latest=-1d  search_id!=scheduler_* 
| bucket _time span=1d 
    |stats count by _time,user 
    |stats sum(count) as TotalSearches, avg(count) by _time

This gives total search count (from all users) and daily average (for all user, total searches that day divided by total users that day).

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-30-2014 07:55 AM

Try this

index=_audit host=search-* earliest=-90d latest=-1d  search_id!=scheduler_* 
| bucket _time span=1d 
    |stats count by _time,user 
    |stats sum(count) as TotalSearches, avg(count) by _time

This gives total search count (from all users) and daily average (for all user, total searches that day divided by total users that day).

Reply
Solved! Jump to solution

glancaster
Path Finder
‎05-30-2014 08:46 AM

This worked exactly like I needed! Here is what I ended up with:

index=audit host=search-* earliest=-90d latest=-1d |search search_id=scheduler* | timechart dc(search_id) AS SchedSearches span=1d| appendcols [search index=audit host=search-* earliest=-90d latest=-1d search_id=scheduler* user=* | bucket _time span=1d |stats count by _time, user |timechart avg(count) as "AVG Search Head Usage"]

Do you know how I could ask to forget any users who did not have more than 5 searches that day? I tried adding in

|stats count by user
|search count > 5

but thats yielded no results.

Cheers!

0 Karma
Reply
Solved! Jump to solution

glancaster
Path Finder
‎05-30-2014 07:52 AM

_time, TotalSearches and AvgSearches (of all users) - all per day.

a graph over time with columns split by Total Searches per day and the Avg Searches by all users per day.

The part I can't work out is the avg of the dc(search_id) by users per day.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-30-2014 07:47 AM

What is the expected output?
_time...TotalSearches...AvgSearch

OR

_time...TotalSearches...AvgSearchUser1...AvgSearchUser2...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...