Splunk Search

Comparing avg of last couple of week days transactions with current week day

sandeepmakkena
Contributor
sourcetype="busevt" OR sourcetype="sysout" TransactionId=TID* AND TransactionId!=TIDearliest=-2w@w1 latest=@h+h 
| eval StartTime=relative_time(now(),"@w1") 
| eval Series=if(_time>=StartTime,"Today Count","Average Count") 
| eval Hour = strftime(_time,"%H") 
| stats dc(TransactionId) as count by date_wday Series 
| chart avg(count) by date_wday Series
| eval sort_field = case(date_wday=="monday", 1,
    date_wday=="tuesday", 2,
    date_wday=="wednesday", 3,
    date_wday=="thursday", 4,
    date_wday=="friday", 5,
    date_wday=="saturday", 6,
    date_wday=="sunday", 7) 
| sort 0 sort_field 
| fields - sort_field

Lets say we have 4 transactions on June 03 2019 and 6 on June 10 2019 the avg count should be 5 but here I'm getting 10 as my avg count, can someone help me.
Thanks in advance.

0 Karma

woodcock
Esteemed Legend

There is no reason to ever do something like this:

| stats ... BY foo bar
| chart ... BY foo bar

Whatever you are trying to do here, is either wrong (perhaps you only need 1 BY filed on the chart, not both) or can be done in a single call.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...