IT Operations Discussions
All the up-time. All the nines.

Finding avarage event count by time

Tankwell
Explorer

Hey all,

Are you familiar with a way to find average event count by time?

I have an events that represents user logins.

I have to find a sequence of a few days in a raw with event count larger than 0 by username
I tried to do it with timechart command

<my search> | timechart span=1d count by username


and than to do an avg / another stat function like median on the count field, but it didn't lead to any results....

My goal is to get list of usernames which tried to access a few days in a row

Any Help?

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Tankwell,

Since you do not have username fields after timechart command , you cannot get any result. Please try below;

| bin _time span=1d 
| stats count by username _time 
| timechart avg(count) by username
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Tankwell,

Since you do not have username fields after timechart command , you cannot get any result. Please try below;

| bin _time span=1d 
| stats count by username _time 
| timechart avg(count) by username
If this reply helps you an upvote is appreciated.

Tankwell
Explorer

Hey,

Thanks for the fast reply 🙂

It seems to do the work  - the bin function has aggregated the events well

After that I could use the stats command successfully

Thanks 😀

Tankwell

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...