Splunk Search

Change hour interval to days and replace the value with average

sndpgiri
Engager

I have a column that has events recorded in an interval of 1 hour.

Example:

Date                                                          Value

2010-1-1 1:00                                         20               

2010-1-1 2:00                                         22

2010-1-1 3:00                                          21

2010-1-1 4:00                                          19

2010-1-1 5:00                                           16

...............................                                              ........

2010-1-1 24:00                                         12

 

I want to group this as one row i.e display in the following format

Date                                              Value

2010-1-1                                    Calculate average of 24 values

 

I want to achieve this in splunk

Labels (5)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin date span=1d
| stats avg(Value) as average by date

Note that date needs to be an epoch datetime so you may need to strptime first if you don't already have it in this format

0 Karma

sndpgiri
Engager

No Luck! It will display all the 24 time interval instead of showing 1 event for those 24 rows. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It sounds like date is not an epoch datetime - try replacing bin with  strptime

| eval date=strptime(date,"%Y-%m-%d")

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...