Calculate the average of some field per some time ...

frbuser · ‎03-16-2020

Query

 index::dlp 
    | bucket _time span=1d 
    | stats count(EVENT_DESCRIPTION) AS "Count" BY _time,User_Name,EVENT_TYPE,EVENT_DESCRIPTION 
    | stats median(Count) AS "Median" BY _time,EVENT_TYPE

I am trying to calculate the average or median number of DLP events per user per day for each different type of events. I don't think my query is correct as some of the numbers don't make sense.

I don't actually want to see the average number for each user, I just want to calculate the statistic for all users. I don't know if that makes sense. For example if there are 12 users and 3 types of events, I want to know on day 1 what the average number of events for each event type would be per user. But the result would only show 3 numbers which are the averages for each event type. So if they results were:

Send Mail: 10
Upload: 2
Download:5

I would interpret this as on day 1, each user had an average of 10 send mail events etc.

Ideally I would like to calculate this for any time frame.

to4kawa · ‎03-16-2020

index::dlp 
| bucket _time span=1d 
| stats count(EVENT_DESCRIPTION) AS "Count" BY _time,User_Name,EVENT_TYPE,EVENT_DESCRIPTION 
| eventstats sum(Count) as Count by  _time,EVENT_TYPE,EVENT_DESCRIPTION 
| stats median(Count) AS "Median" BY _time,EVENT_TYPE

Calculate the average of some field per some time period per some other field(s)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?