Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Event Count by Average Overtime

TwitchyB
New Member
‎01-31-2024 01:17 PM

TwitchyB_0-1706733400544.png


Hello, I'm starting out on my splunk journey and have been tasked with figuring out a dashboard for my executives. I created a layout for a dashboard and had the idea of creating a chart, but have been struggling with the logic. 

What I'm looking to do is have a the count/average count over time by time so I have a chart of percentages of the day against their average thruput. I had a few ideas for the search but none seemed to work.

could someone give me some direction please on what I've gotten so far? (its definitely wrong)

index=*
| where index="Index 1" OR index="Index 2" OR index="Index 3"
| eval Count=sum(count(index)) / "something something something to get the average"
| timechartcount by Count

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-31-2024 01:45 PM

Hi @TwitchyB,

You can try below;

index="Index 1" OR index="Index 2" OR index="Index 3"
| timechart count by index
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

TwitchyB
New Member
‎02-01-2024 05:32 AM

Thank you for your reply. I've sort of gotten that far, but where I'm really struggling is trying to make each index their percentage of their respective thruput, sorry if I didn't clarify that in the question. 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-02-2024 04:38 PM

Percentage as the sum of values in each time bucket?

index IN ("Index 1", "Index 2", "Index 3")
| timechart count by index
| addtotals
| foreach *
    [eval <<FIELD>> = if(Total == 0, 0, <<FIELD>> / Total * 100)]
| fields - Total

As @scelikok indicates, move index filter into index search is more efficient. (The above is an alternative syntax.)

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...