Greetings,
Splunk user but newbie still.
I am building some searches to show AWS cloudwatch data averages per account.
An example would be "Average CPUUtilization in account X during the past 30 days"
I'm currently getting data per EC2 instance with the following search:
index="aws" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name = CPUUtilization | table account_id metric_dimensions metric_name period Average
But of course, this shows only average per instance; I want to roll that data up to the account level and get the average for all instances within an account.
I suspect "stats" is what I need to use, but a nudge in the right direction would greatly help.
Do you mean
index="aws" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name = CPUUtilization
| stats sum(eval(period*Average)) as totalAverage sum(period) as totalPeriod by account_id
| eval totalAverage = totalAverage/totalPeriod