Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Average count based on day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="apigee" sourcetype="apigee:hec" | search DeveloperAppName="someappname" | convert timeformat="%A" ctime(_time) AS date | stats count by date | sort -count
Tuesday 200
Monday 190
.
.
.
Saturday 20
Sunday 10
Above search is giving count based on day. But I am looking for avg count based on day. I tried adding avg before count but i didn't get any results
index="apigee" sourcetype="apigee:hec" | search DeveloperAppName="someappname" | convert timeformat="%A" ctime(_time) AS date | stats avg(count) by date | sort -count
I am looking for something like this
Tuesday 99% (add count of all tuesdays and divide by number of tuesday)
Monday 80%
..
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would do something like below , please rename variables as per your need
index="wineventlog" | eventstats count as C| eventstats count as D by Date|stats values(C) as C, values(D) as D by Date| eval per= D/C * 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index="apigee" sourcetype="apigee:hec" DeveloperAppName="someappname"
| timechart span=1d count
| convert timeformat="%A" ctime(_time) AS date | stats avg(count) as count by date | sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would do something like below , please rename variables as per your need
index="wineventlog" | eventstats count as C| eventstats count as D by Date|stats values(C) as C, values(D) as D by Date| eval per= D/C * 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for something similar. Buy my search is not giving proper c value.
If I select seven days, then c value will be 1 (i.e. one week cannot have more than 1 Monday, 1 Tuesday....) If my duration is 2 weeks then C value should be 2. How to get proper c value.
I am getting proper D value. PFB my search.
index="apigee" sourcetype="apigee:hec" | search DeveloperAppName="someappname" | convert timeformat="%A" ctime(_time) AS date | eventstats count(date) as C | eventstats count as D by date| stats values(C) as C, values(D) as D by date| eval AVG= D/C * 100
Your help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index="apigee" sourcetype="apigee:hec" | search DeveloperAppName="someappname" | convert timeformat="%A" ctime(_time) AS week | eval date=strftime(_time,"%Y/%m%d")| stats dc(date) as C, count as D by week| eval AVG= D/C`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I was looking for. Thank you Vijeta.
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)
