Solved: Splunk Host Metrics Report

scout29 · ‎02-23-2024

I am trying to create a search that will generate a report showing host by event count in the last hour and also the average 7 day hourly event count per host.

So far i have the below search that shows host by event count over the last hour - but i am struggling to get a column added showing the weekly hourly average?

Any help on how i get a column added showing the 7 day hourly average for event count ?

gcusello · ‎02-23-2024

Hi @scout29,

let me understand: you want:

number of events by host in the last hour and the hourly average in the last seven days, is it correct?

please try this:

| tstats count WHERE index=* BY host _time span=1h
| stats 
   avg(count) AS Average
   values(eval(if(_time>=now()-3600,count,0))) AS "Last hour"
   BY host

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-23-2024

Hi @scout29,

let me understand: you want:

number of events by host in the last hour and the hourly average in the last seven days, is it correct?

please try this:

| tstats count WHERE index=* BY host _time span=1h
| stats 
   avg(count) AS Average
   values(eval(if(_time>=now()-3600,count,0))) AS "Last hour"
   BY host

Ciao.

Giuseppe

scout29 · ‎02-27-2024

@gcusello - Thanks! How could i modify this to include one more column showing the percent variance between the average count and latest hour count?

gcusello · ‎02-27-2024

Hi @scout29,

use an eval command at the end of the search.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Splunk Host Metrics Report

saved search

scheduled search

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...