IT Operations Discussions
All the up-time. All the nines.

Finding avarage event count by time

Tankwell
Explorer

Hey all,

Are you familiar with a way to find average event count by time?

I have an events that represents user logins.

I have to find a sequence of a few days in a raw with event count larger than 0 by username
I tried to do it with timechart command

<my search> | timechart span=1d count by username


and than to do an avg / another stat function like median on the count field, but it didn't lead to any results....

My goal is to get list of usernames which tried to access a few days in a row

Any Help?

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Tankwell,

Since you do not have username fields after timechart command , you cannot get any result. Please try below;

| bin _time span=1d 
| stats count by username _time 
| timechart avg(count) by username
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Tankwell,

Since you do not have username fields after timechart command , you cannot get any result. Please try below;

| bin _time span=1d 
| stats count by username _time 
| timechart avg(count) by username
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Tankwell
Explorer

Hey,

Thanks for the fast reply 🙂

It seems to do the work  - the bin function has aggregated the events well

After that I could use the stats command successfully

Thanks 😀

Tankwell

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...