Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Average Failed Logins by Day of Week For Last 90 Days

SplunkLunk
Path Finder
‎09-14-2020 08:36 AM

Greetings,

The search I am using currently is giving me the total number of failed logins by day of the week for the last 90 days:

| base search event="login_fail"
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count by weekday
| stats avg(count) by weekday

The problem is I want to find the daily average number of failed logins for the last 90 days.  For example, in the search above is shows a total of 625 failed logins for Fridays.  The last line of the search isn't providing any value so it's not needed.  Is there a way to modify my search to get that average number instead of the total count for Fridays?  For example, since there are ~12 Fridays over the last 90 days that would come out to ~52 failed logins on Fridays (12 * 52 is where I get the 625).    Thanks for any help.

Labels (2)
Labels
0 Karma
Reply

danielansell
Path Finder
‎09-15-2020 08:50 AM

Try this:

| base search event="login_fail"
| eval weekday=strftime(_time,"%A"), date=strftime(_time,"%x")
| stats count by date, weekday
| stats avg(count) by weekday

0 Karma
Reply

SplunkLunk
Path Finder
‎09-14-2020 10:53 AM

I want to do what the person in this old post tried to do but the solution there isn't working for me:

https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2020 09:01 AM

Try this variation of your query.

base search
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count, dc(date_mday) as days by weekday
| eval avg=count/days
| table weekday avg
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SplunkLunk
Path Finder
‎09-14-2020 09:02 AM

Thanks for the response.  But that search doesn't produce any results in the "avg" column.  It's blank.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-14-2020 02:19 PM

Hi

can you check your base search as this is working for me

index=_internal earliest=-1mon
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count, dc(date_mday) as days by weekday
| eval avg=count/days
| table weekday avg
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...