Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Average alarms per reader over time

msage
Path Finder
‎06-15-2021 08:14 AM

A bit ago I submitted a question regarding how to get the average alarms per reader. So for example we have 100 alarms and 100 readers. That's on average 1 alarm per reader. With the help of the forum I got my answer but now I need to figure out how to get a trend of this search. I tried using a timechart but based on the way the search is built, it completely skews the results. Here's the search itself 

 

index="index" EVDESCR="EVDESCR"
| dedup EVENT_TIME
| bucket _time span=1d
| stats count by READERDESC
| stats sum(count) as sum_count
| eval result=sum_count / 220

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-15-2021 09:13 PM

@msage You want to illustrate what timechart command you have tried and what is the difference between actual result and expected results so others can understand the intended use case.   The second stats  command in the search you illustrated negates the groupby in the first, and the time bucket  has  no effect.  The entire search can be collapsed as

 

index="index" EVDESCR="EVDESCR"
| dedup EVENT_TIME
| stats count as sum_count
| eval result=sum_count / 220

 

If I speculate your intentions based on the subject line and the illustrated search, you have  220 readers (not 100); you want a single average value, nothing grouped by READER_DESC.  This might be what you are asking for

 

index="index" EVDESCR="EVDESCR"
| dedup EVENT_TIME

| timechart span=1d count as average_alarms_per_reader
| eval average_alarms_per_reader = average_alarms_per_reader / 220

 

  Basically, count how many total alarms per day, and divide each count by  220.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-15-2021 09:13 PM

@msage You want to illustrate what timechart command you have tried and what is the difference between actual result and expected results so others can understand the intended use case.   The second stats  command in the search you illustrated negates the groupby in the first, and the time bucket  has  no effect.  The entire search can be collapsed as

 

index="index" EVDESCR="EVDESCR"
| dedup EVENT_TIME
| stats count as sum_count
| eval result=sum_count / 220

 

If I speculate your intentions based on the subject line and the illustrated search, you have  220 readers (not 100); you want a single average value, nothing grouped by READER_DESC.  This might be what you are asking for

 

index="index" EVDESCR="EVDESCR"
| dedup EVENT_TIME

| timechart span=1d count as average_alarms_per_reader
| eval average_alarms_per_reader = average_alarms_per_reader / 220

 

  Basically, count how many total alarms per day, and divide each count by  220.

Reply
Solved! Jump to solution

msage
Path Finder
‎06-17-2021 09:38 AM

Hey @yuanliu basically what it was doing was getting the average of all the days by 220 rather than average of each day. However the search string you just provided seems to be the perfect solution for this.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...