Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Determine frequency over time

chrisj
Engager
‎09-16-2020 08:52 PM

I am attempting to work out the frequency of events over the selected timespan in weeks.  Basically: count of events in current timespan divided by weeks in timespan.

I can get a count of events for the selected timespan using:

 

index=mydata
| stats count(eval(ishotfix= "false")) as hfx
| fields hfx

 

I can get the timepicker span weeks using (im sure this is terrible):

 

| makeresults
| addinfo
| eval timepickerSpanWeeks=round(((info_max_time - info_min_time)/60/60/24/7),0)
| fields timepickerSpanWeeks

 

and if I combine I am getting no results

 

| makeresults
| addinfo
| eval timepickerSpanWeeks=round(((info_max_time - info_min_time)/60/60/24/7),0)
| map search="search index=mydata"
| stats count(eval(ishotfix= "false")) as hfx
| eval rate=round((hfx/timepickerSpanWeeks), 2)
| fields rate

 

thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisj
Engager
‎09-17-2020 02:30 PM 
index=mydata
| addinfo | eval timepickerSpanWeeks=round(((info_max_time - info_min_time)/60/60/24/7),0)
| where ishotfix= "false"
| eventstats count(timepickerSpanWeeks) as counter
| eval rate = round(counter / timepickerSpanWeeks,2)
| top rate
| fields rate

This is what got me the result, it seems like a poor way of getting it but the number of results isn't large.  Happy for someone to revise! 🙂  Thanks for your help @ITWhisperer 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-17-2020 12:25 AM

Try this

index=mydata
| addinfo
| eval timepickerSpanWeeks=round(((info_max_time - info_min_time)/60/60/24/7),0)
| stats count(eval(ishotfix= "false")) as hfx
| eval rate=round((hfx/timepickerSpanWeeks), 2)
Reply
Solved! Jump to solution
Solution

chrisj
Engager
‎09-17-2020 02:30 PM 
index=mydata
| addinfo | eval timepickerSpanWeeks=round(((info_max_time - info_min_time)/60/60/24/7),0)
| where ishotfix= "false"
| eventstats count(timepickerSpanWeeks) as counter
| eval rate = round(counter / timepickerSpanWeeks,2)
| top rate
| fields rate

This is what got me the result, it seems like a poor way of getting it but the number of results isn't large.  Happy for someone to revise! 🙂  Thanks for your help @ITWhisperer 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...