Splunk Search

## Counting averages

Path Finder

I have data for users running in two modes: Online, and Cached.

I want to get the average number of connections for each type of user over a 1 week period, so that I have a line graph and compare the load on the server for each type of user.

How can I do this? I think I'm way off track...

index=sanindex source="rpc" | timechart span=1h count(client_name)

client_mode is either Online or Cached. client_name is the name of a connecting user.

Thank you

James

• Log Events
```   The logs contains
- client_mode: Classic, Cached, etc...
- client_name: 100s of different values

Each client_name is with either "client_mode=Classic" or "client_mode=Cached"
```
• What to achieve

1. Count of each client_user every hour in the past one week
2. Average the count of all the client_user per hour in the past one week
3. Compare the averaged user's client_mode, Classic and Cached, in order to see one "average" user's mode.
Tags (1)
1 Solution
Splunk Employee
```
index=sanindex source="rpc" client_mode=Classic OR client_mode=cached earliest=-30d@d latest=@d
| bucket _time span=1h
| stats count by _time, client_name, client_mode
| timechart avg(count) by client_mode

```
Splunk Employee
```
index=sanindex source="rpc" client_mode=Classic OR client_mode=cached earliest=-30d@d latest=@d
| bucket _time span=1h
| stats count by _time, client_name, client_mode
| timechart avg(count) by client_mode

```
Path Finder

Thanks gkanpathy, but not quite.

I'd like to compare the average number of connections of each type, per day. So I take the average count of entries per day for client_mode=Cached, and the average count of entires per day where client_mode=Online, and then I can compare the two in a line graph.

``````index=sanindex source="rpc" client_name=* | timechart span=1h count by client_mode