Splunk Search

Average count of events per day over a month

New Member

We are using splunk to log all the mail that goes out thru our webmail system. What I am looking to do is find the average number of messages that our top 10 users from each of our webmail pods send out each day. With the following search, I am able to get the average for whatever time frame I choose in the dropdown, but I haven't been able to figure out how to get a daily average over a week.

sourcetype="wbeout" pod="13" action="ACCEPT" | top limit=10 account | stats avg(count)

For instance, I just did that, I get 1 result with avg(count)
1. 1255.00000

So over 24 hours our top 10 accounts averaged sending 1255 messages each. What I am looking to do is get a report of the past 7 days what the average per day was.

0 Karma
1 Solution

Ultra Champion

Hi,

you'll need to get separate top data per day (in my example I use the builtin date_mday field), and then do the averages.

sourcetype="wbeout" pod="13" action="ACCEPT" | top limit=10 account by date_mday | stats avg(count) by date_mday

Hope this helps,

Kristian

View solution in original post

Ultra Champion

Hi,

you'll need to get separate top data per day (in my example I use the builtin date_mday field), and then do the averages.

sourcetype="wbeout" pod="13" action="ACCEPT" | top limit=10 account by date_mday | stats avg(count) by date_mday

Hope this helps,

Kristian

View solution in original post

New Member

Awesome, this is what I was looking for. Thank you very much.

0 Karma