Solved: Re: How can I perform a count and then average tha...

rcarmack1 · ‎07-26-2018

I am investigating failed logins. I need to perform a count of all failed logins by user, take an average of that count, and then only show results that are higher than the average.

index=windows fail*
| stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
| *Need to Average the count here*
| convert ctime("Earliest Failure") ctime("Latest Failure")
| where count > *Average*
| table user "Earliest Failure" "Latest Failure" count 
| sort -count

Thanks in advance!

kmaron · ‎07-26-2018

try just adding an eventstats

 index=windows fail*
 | stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
 | eventstats avg(count) as "Average"
 | convert ctime("Earliest Failure") ctime("Latest Failure")
 | where count > Average
 | table user "Earliest Failure" "Latest Failure" count 
 | sort -count

View solution in original post

kmaron · ‎07-26-2018

try just adding an eventstats

 index=windows fail*
 | stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
 | eventstats avg(count) as "Average"
 | convert ctime("Earliest Failure") ctime("Latest Failure")
 | where count > Average
 | table user "Earliest Failure" "Latest Failure" count 
 | sort -count

rcarmack1 · ‎07-26-2018

Perfect! Thank you!

How can I perform a count and then average that count?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation