Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I construct a search for the average per da...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christopheryu
Communicator
09-14-2016
09:08 AM
I am trying to chart the average per day of the week (mon, tue, wed, etc) but unable to do it with the days arranged in sequence i.e., Sun, Mon, Tue, etc.
I have the following search with the days of the week in order but it shows the total per day of week:
search | eval date_wday=strftime(_time,"%w-%A") | chart count by date_wday
I found this search for average per day of the week but can't make it to work with the above for the days to be in sequence:
search | bin span=1d _time | stats count dc(_time) as days by date_wday | eval average_count = count / days
Any help would be highly appreciated!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-14-2016
09:18 AM
Try this
search | eval date_wday=strftime(_time,"%w-%A") | bin span=1h _time | stats count by date_wday _time | stats avg(count) as avg_by_day by date_wday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-14-2016
09:36 AM
This should do it
search | eval date_wday=strftime(_time,"%w-%A") | chart count by date_wday | eventstats count as days | eval average_count = count / days
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-14-2016
09:18 AM
Try this
search | eval date_wday=strftime(_time,"%w-%A") | bin span=1h _time | stats count by date_wday _time | stats avg(count) as avg_by_day by date_wday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christopheryu
Communicator
09-14-2016
10:43 AM
Perfect, this works, thank you very much sir! Just needed to change bin span from 1h to 1d. I'm pretty sure a lot of splunk users will be able to use your answer as it can be applied to basically any search with the same requirement as mine.
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
