Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I construct a search for the average pe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christopheryu
Communicator
09-14-2016
09:08 AM
I am trying to chart the average per day of the week (mon, tue, wed, etc) but unable to do it with the days arranged in sequence i.e., Sun, Mon, Tue, etc.
I have the following search with the days of the week in order but it shows the total per day of week:
search | eval date_wday=strftime(_time,"%w-%A") | chart count by date_wday
I found this search for average per day of the week but can't make it to work with the above for the days to be in sequence:
search | bin span=1d _time | stats count dc(_time) as days by date_wday | eval average_count = count / days
Any help would be highly appreciated!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-14-2016
09:18 AM
Try this
search | eval date_wday=strftime(_time,"%w-%A") | bin span=1h _time | stats count by date_wday _time | stats avg(count) as avg_by_day by date_wday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-14-2016
09:36 AM
This should do it
search | eval date_wday=strftime(_time,"%w-%A") | chart count by date_wday | eventstats count as days | eval average_count = count / days
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-14-2016
09:18 AM
Try this
search | eval date_wday=strftime(_time,"%w-%A") | bin span=1h _time | stats count by date_wday _time | stats avg(count) as avg_by_day by date_wday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christopheryu
Communicator
09-14-2016
10:43 AM
Perfect, this works, thank you very much sir! Just needed to change bin span from 1h to 1d. I'm pretty sure a lot of splunk users will be able to use your answer as it can be applied to basically any search with the same requirement as mine.
Get Updates on the Splunk Community!
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...
Overwhelmed SOC? Splunk ES Has Your Back
Tool sprawl, alert fatigue, and endless context switching are making ...
What’s New & Next in Splunk SOAR
Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us on ...
