Hi all, i need to take the avg of Size by day.
sourcetype="sophos" pmx_action="keep" fur!="none"| bucket _time span=1d | timechart span=1d sum(Size) as sum_size | stats last(sum_size) as today_count avg(sum_size) as avg_size
How can i take the avg_size value correctly?
I do not have to take the avg of the daily values but the avg of the daily sum in the month. Thanks a lot
It sounds like you should be creating a daily summary and then searching against that result at the end of the monthly period. We call this summary indexing in Splunk terms. Since you need to store the actual daily sum on a daily basis, you really want to be creating your daily average against those result sets. See the docs for more information on how to do this:
http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing