Re: Event Count by Average Overtime

TwitchyB · ‎01-31-2024

Hello, I'm starting out on my splunk journey and have been tasked with figuring out a dashboard for my executives. I created a layout for a dashboard and had the idea of creating a chart, but have been struggling with the logic.

What I'm looking to do is have a the count/average count over time by time so I have a chart of percentages of the day against their average thruput. I had a few ideas for the search but none seemed to work.

could someone give me some direction please on what I've gotten so far? (its definitely wrong)

index=*
| where index="Index 1" OR index="Index 2" OR index="Index 3"
| eval Count=sum(count(index)) / "something something something to get the average"
| timechartcount by Count

scelikok · ‎01-31-2024

Hi @TwitchyB,

You can try below;

index="Index 1" OR index="Index 2" OR index="Index 3"
| timechart count by index

If this reply helps you an upvote and "Accept as Solution" is appreciated.

TwitchyB · ‎02-01-2024

Thank you for your reply. I've sort of gotten that far, but where I'm really struggling is trying to make each index their percentage of their respective thruput, sorry if I didn't clarify that in the question.

yuanliu · ‎02-02-2024

Percentage as the sum of values in each time bucket?

index IN ("Index 1", "Index 2", "Index 3")
| timechart count by index
| addtotals
| foreach *
    [eval <<FIELD>> = if(Total == 0, 0, <<FIELD>> / Total * 100)]
| fields - Total

As @scelikok indicates, move index filter into index search is more efficient. (The above is an alternative syntax.)

Event Count by Average Overtime

count

timechart

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation