Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

AVG of Size by day

pinzer
Path Finder
‎11-08-2010 11:48 AM

Hi all, i need to take the avg of Size by day.

sourcetype="sophos" pmx_action="keep" fur!="none"| bucket _time span=1d | timechart span=1d sum(Size) as sum_size | stats last(sum_size) as today_count avg(sum_size) as avg_size

How can i take the avg_size value correctly?

I do not have to take the avg of the daily values but the avg of the daily sum in the month. Thanks a lot

Tags (1)
0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎11-08-2010 03:42 PM

It sounds like you should be creating a daily summary and then searching against that result at the end of the monthly period. We call this summary indexing in Splunk terms. Since you need to store the actual daily sum on a daily basis, you really want to be creating your daily average against those result sets. See the docs for more information on how to do this:

http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...