Solved: Re: Finding avarage event count by time

Tankwell · ‎03-08-2021

Hey all,

Are you familiar with a way to find average event count by time?

I have an events that represents user logins.

I have to find a sequence of a few days in a raw with event count larger than 0 by username
I tried to do it with timechart command

<my search> | timechart span=1d count by username

and than to do an avg / another stat function like median on the count field, but it didn't lead to any results....

My goal is to get list of usernames which tried to access a few days in a row

Any Help?

scelikok · ‎03-08-2021

Hi @Tankwell,

Since you do not have username fields after timechart command , you cannot get any result. Please try below;

| bin _time span=1d 
| stats count by username _time 
| timechart avg(count) by username

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎03-08-2021

Hi @Tankwell,

Since you do not have username fields after timechart command , you cannot get any result. Please try below;

| bin _time span=1d 
| stats count by username _time 
| timechart avg(count) by username

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Tankwell · ‎03-16-2021

Hey,

Thanks for the fast reply 🙂

It seems to do the work - the bin function has aggregated the events well

After that I could use the stats command successfully

Thanks 😀

Tankwell

Finding avarage event count by time

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor