Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Getting daily count and overall average
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I'm trying to get the stats of the count of events per day, but also the average.
...| stats count by date_mday is fine for getting the count per day
and
...| stats count by date_mday | stats avg(count) gets the overall daily average
However, I'd like to combine those two into a single table, with one column being the daily total, and the second column being the overall average (which will of course be the same value every day).
I think I'm just struggling with the syntax...can anyone help please?????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can use eventstats for this:
| stats count by date_mday | eventstats avg(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can use eventstats for this:
| stats count by date_mday | eventstats avg(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main host=wrs* domain=zzz* | stats count as daycount by date_mday | eventstats avg(daycount)
when i use run the above command for past 7days...i see different values for daycount which is expected, but i'm getting same values for avg(daycount) for all 7 days....can you explain me how it works...??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If want to see a moving average try using | streamstats avg(daycount)
Breakdown of eventstats vs. streamstats that may help clear up what each one does
http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Sir,
I am trying to fetch count of errors in application logs on daily basis and average count of errors in past 7 days.
I tried using the following: -
index=** <Search condition> |stats count by error |streamstats avg(count)I get three columns: error, count, avg(count). I am able to follow the results obtained in first two columns, but unable to understand how the values are getting calculated and displayed for avg(count). Thus, need your help to comprehend the same.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the streamstats tip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly what i was looking for. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, easy when you know the command!
Thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
