Splunk Search

AVG of Size by day

pinzer
Path Finder

Hi all, i need to take the avg of Size by day.

sourcetype="sophos" pmx_action="keep" fur!="none"| bucket _time span=1d | timechart span=1d sum(Size) as sum_size | stats last(sum_size) as today_count avg(sum_size) as avg_size

How can i take the avg_size value correctly?

I do not have to take the avg of the daily values but the avg of the daily sum in the month. Thanks a lot

Tags (1)
0 Karma

Simeon
Splunk Employee
Splunk Employee

It sounds like you should be creating a daily summary and then searching against that result at the end of the monthly period. We call this summary indexing in Splunk terms. Since you need to store the actual daily sum on a daily basis, you really want to be creating your daily average against those result sets. See the docs for more information on how to do this:

http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...