Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get just one avg count per day? (With time span = 3h I get 3 counts per day)

imsidrai
Explorer
‎08-29-2022 10:19 AM

Using the below query to get the daily avg user in during biz hours: 

index=pan_logs sourcetype=json_no_timestamp metricname="field total user"
|bin _time span=3h | stats latest(metricvalue) AS temp_count by metricname _time
| stats sum(temp_count) as "Users" by _time
|eval Date=strftime(_time,"%m/%d/%y")
|eval bustime=_time, bustime=strftime(bustime, "%H")
|eval day_of_week = strftime(_time,"%A")
|where ( bustime > 8 and bustime < 18) AND NOT (day_of_week="Saturday" OR day_of_week="Sunday")
|eventstats avg(Users) as DailyAvgUsers by Date
|eval DailyAvgUsers = round(DailyAvgUsers)
|table Date day_of_week DailyAvgUsers

but the query gives 3 counts per day  while i want only 1 for a day, when i change span to 6h , it gives me one count , but since i am counting only between 8AM to 6PM , it gives me no count when i run the search at 12PM Monday with 6h span.

imsidrai_0-1661792522881.png

 

imsidrai_1-1661792581430.png

How I can get one avg count per day? with time span = 3h 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2022 04:14 AM

Some clarification about time entities on Splunk:

  • Time period - Time period from where you are looking events
  • Time bin/span - slots inside Time period to where you are dividing the whole time period.

I understood that you have longer time period than 1d and you want to divide it to 1d bins? If this is correct then just look when day is Monday to Friday and hour eg. 8 to 17 or what ever those should be. After that you have just those correct events and then you can slot it to 1d bins (which contains events on business days with business hours).

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2022 12:18 AM
I think that you should 1st select events which are within your business day definition and after that calculate those values with bin 1d.
r. Ismo
Reply
Solved! Jump to solution

imsidrai
Explorer
‎08-30-2022 02:56 AM

But if i run this with 1d span , the report only shows data for last day , it wont show the data for current day until the span is completed.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2022 04:14 AM

Some clarification about time entities on Splunk:

  • Time period - Time period from where you are looking events
  • Time bin/span - slots inside Time period to where you are dividing the whole time period.

I understood that you have longer time period than 1d and you want to divide it to 1d bins? If this is correct then just look when day is Monday to Friday and hour eg. 8 to 17 or what ever those should be. After that you have just those correct events and then you can slot it to 1d bins (which contains events on business days with business hours).

Reply
Solved! Jump to solution

imsidrai
Explorer
‎09-02-2022 08:21 AM

thank you @isoutamo 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...