Re: Avg for 7 days and 15 days ....etc :)

harishalipaka · ‎07-09-2018

Hi Splunkers ,

Here below is my data look like that .In that i want to get avg(sum_PBD) based on Date
Conditions:-
1. If results are <= 7 avg(sum_PBD) by eachday -----------------here i got 7 results
2.If results are <= 1 month avg(sum_PBD) by weekwise-----------------here i got 4 results
3.If results are <= 2 months avg(sum_PBD) by 15days -----------------here i got 4 results
4.If results are >= 6 months avg(sum_PBD) by monthwise-----------------here i got monthwise results

Thanks in Advance.

Thanks
Harish

woodcock · ‎07-13-2018

If your data is from a lookup, try this:

| inputlookup LookupWith_Date_and_sumPDB
| eval _time = strptime(Date, "%m/%d/%Y")
| bucket _time [| inputlookup LookupWith_Date_and_sumPDB
                | eval _time = strptime(Date, "%m/%d/%Y")
                | stats range(_time) AS DateSpanSeconds
                | eval span=case(
                       DateSpanSeconds>=(6*30*24*60*60), "1m",
                       DateSpanSeconds>=(2*30*24*60*60), "15d",
                       DateSpanSeconds>=(1*30*24*60*60), "1w",
                       true(), "1d")
          | table span | format "" "" "" "" "" ""]
| stats avg(sum_PBD) BY _time

woodcock · ‎07-13-2018

I think you need something like this:

Your Base Search Here
| bucket _time [| noop | stats count AS span
                | addinfo | eval timepickerSpanSeconds=(info_max_time - info_min_time)
                | eval span=case(
                      timepickerSpanSeconds>=(6*30*24*60*60), "1m",
                      timepickerSpanSeconds>=(2*30*24*60*60), "15d",
                      timepickerSpanSeconds>=(1*30*24*60*60), "1w",
                      true(), "1d")
               | table span | format "" "" "" "" "" ""]
| stats avg(sum_PBD) BY _time

poete · ‎07-09-2018

Hello @harishalipaka,

I think the following goes in your way. It takes advantage of the earliest, latest and span arguments. In the following, I am just counting the *ERROR*s in the _internal index.

index=_internal ERROR earliest=-7d@d latest=now()
| timechart count span=1d
| append 
    [search index=_internal ERROR earliest=-30d@d latest=-8d@d
| timechart count span=7d]
| append 
    [search index=_internal ERROR earliest=-60d@d latest=-31d@d
| timechart count span=15d]

harishalipaka · ‎07-09-2018

hi @poete
Thanks for your reply .But i cann't get answer.
my data is from inputlookup not from index.

Thanks
Harish

poete · ‎07-09-2018

Hi @harishalipaka,

Sorry, I am not sure I understand. Why can't you replace index=_internal with |inputlookup?

harishalipaka · ‎07-09-2018

this is my output results ,not direct from lookup.
I already filtered with date range .i had only Date column which one display in image.
I want to filter with that Date column only

Thanks
Harish

poete · ‎07-09-2018

OK @harishalipaka,, I think I got it.

So, you could do the following:

<your base search of lookup>| eval _time=strptime(Date,"%d/%m/%Y")|
search earliest=-7d@d latest=now()
 | timechart avg(sum_PBD) span=1d
 | append [<your base search of lookup>| eval _time=strptime(Date,"%d/%m/%Y")|
search earliest=-30d@d latest=-8d@d
 | timechart avg(sum_PBD) span=1w]
....

Avg for 7 days and 15 days ....etc :)

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Avg for 7 days and 15 days ....etc :)

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR