Compare the NOW-1d count of event with the average...

fedevietti · ‎11-08-2010

Dear All,

I've got a problem with a Splunk search. I'd like to compare the last 24 h number of sent mail with the daily average of the last month.

The search that I'm using is the following:

sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=24h _time | timechart span=24h count | stats last(count) as today_count avg(count) as avg_count

The problem is that this search compare the average with the count of the event from 00.00 of the last day to the NOW time.

My will is to compare the NOW-1d count with the average. Is it possible? Regards

lguinn2 · ‎01-26-2012

sourcetype="sophos" pmx_action="keep" fur!="none"
earliest=-30d@d latest=@d | stats count as dailyCount by date_mday | stats avg(dailyCount) as  monthlyAvg |
join [search 
sourcetype="sophos" pmx_action="keep" fur!="none"
earliest=-24h@h latest=@h | stats count as todayCount ]

This search gives 2 results: monthlyAvg and todayCount

Compare the NOW-1d count of event with the averageof the last month

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Compare the NOW-1d count of event with the averageof the last month

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey