Solved: How can I perform a count and then average that co...

rcarmack1 · ‎07-26-2018

I am investigating failed logins. I need to perform a count of all failed logins by user, take an average of that count, and then only show results that are higher than the average.

index=windows fail*
| stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
| *Need to Average the count here*
| convert ctime("Earliest Failure") ctime("Latest Failure")
| where count > *Average*
| table user "Earliest Failure" "Latest Failure" count 
| sort -count

Thanks in advance!

kmaron · ‎07-26-2018

try just adding an eventstats

 index=windows fail*
 | stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
 | eventstats avg(count) as "Average"
 | convert ctime("Earliest Failure") ctime("Latest Failure")
 | where count > Average
 | table user "Earliest Failure" "Latest Failure" count 
 | sort -count

View solution in original post

kmaron · ‎07-26-2018

try just adding an eventstats

 index=windows fail*
 | stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
 | eventstats avg(count) as "Average"
 | convert ctime("Earliest Failure") ctime("Latest Failure")
 | where count > Average
 | table user "Earliest Failure" "Latest Failure" count 
 | sort -count

rcarmack1 · ‎07-26-2018

Perfect! Thank you!

How can I perform a count and then average that count?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!