Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Comparision of hourly Log count by average log count of last 7 days.

phanirohith97
Observer
‎12-15-2020 09:42 PM
I have a Query need to compare hourly log count of today with the average value of last 7 days, if the count is greater then it should trigger an alert
Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-04-2021 09:45 AM

Hi @rally0321,

This can be achieved using different approach;

| tstats count where index=some_index earliest=-1d by _time span=1h 
| tstats append=t prestats=t count where index= some_index earliest=-7d@d latest=-1d@d by _time span=1h 
| table _time count psrsvd_gc 
| rename psrsvd_gc AS lastweek_counts 
| eventstats avg(lastweek_counts) as weekly_avg 
| where count>weekly_avg
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

rally0321
Path Finder
‎03-04-2021 08:38 PM 
| tstats count where index=some_index earliest=-1d by _time span=1h 
| tstats append=t prestats=t count where index= some_index earliest=-7d@d latest=-1d@d by _time span=1h 
| table _time count psrsvd_gc 
| rename psrsvd_gc AS lastweek_counts 
| eventstats avg(lastweek_counts) as weekly_avg 
| where count>weekly_avg

Thanks. I can see result with below change.

1. add prestats=t to 1st tstats
2. where count>weekly_avg need change as lastweek_counts>weekly_avg

However I see below gap.

1. the average is the average for the past 1 week + today's count.

2. the result include past 1 week record in case any hour of last week is > average.

We expect to have below result.

1. the average is the average for the past 1 week only

2. the result include today's entry only.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-15-2020 11:03 PM

@phanirohith97, please try below query;

| tstats count where index=some_index earliest=-1d by _time span=1h 
| where count > 
    [| tstats count where index=some_index earliest=-7d@d latest=-1d@d by _time span=1h 
    | stats avg(count) as count 
    | rename count as search]
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

rally0321
Path Finder
‎03-04-2021 05:32 AM 
| tstats count where index=some_index earliest=-1d by _time span=1h 
| where count > 
    [| tstats count where index=some_index earliest=-7d@d latest=-1d@d by _time span=1h 
    | stats avg(count) as count 
    | rename count as search]

Hi,

How can we show the average count in the result as well? I refer to value of search. Thanks.

_time                                                count
1 2021-03-04 09:00:00    491

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...