Greetings Splunk Community!
I've looked through the pages here and haven't been fortunate to find a working answer that matches what I'm looking for. I'm trying to compare an event within the past 24 hours against the average events seen in the past week or month. Below are some threads which seemed similar to my question.
https://community.splunk.com/t5/Splunk-Search/Need-help-on-how-to-alert-if-daily-count-exceed-30-day...<---Unable to get this modified to work as desired
Below is a screenshot of the search and output. It appears to me that the Eval statement is just taking the count of Today and dividing it by 7. It is not producing an actual 7 day average of the past week.
I feel like I'm overlooking something obvious, but at the moment it is escaping me.
Thank you for taking some time to assist here! Looking at what you have, I presume this is for your test instance. I'm not fully understanding why I would need to reduce the increments to such a a small value of just an hour. In addition, I'm trying to figure out the purpose of assigning the count a random value of 1-20. I have never used the random function before and according to the documentation it is taking a random value of 1-X and dividing it by X.
Just using what was shared, my search seems to fail. I've tried moving the lines around to get it to work, but have yet to find a working search.
Ah, that makes a little more sense. I finally got a working query, thank you!
source="winevtlog:sec" EventCode=4625 earliest = -7d@d latest = @d
| timechart span=1d count
| timewrap week series=short
| eventstats avg(s*) as avg_s*
| table _time, _span, s0, avg_s0
| rename s0 AS Today avg_s0 AS "Weekly Average"
Now it's onto the visual clean-up of rounding to the whole number...
