Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my search to find the monthly averag...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I edit my search to find the monthly average to compare against daily totals?
user12345a_2
Explorer
06-08-2016
05:14 AM
So I have the following search/report that I run daily:
index=os_linux NOT root tag=authentication NOT tag=failure | stats count by host, user, eventtype, src_ip | search eventtype=*authentication* | eval dest_count=host+":"+src_ip+"("+count+")" | stats values(dest_count) AS Daily by user, eventtype
which generates output similar to the following:
user eventtype Daily
---- --------- -----
user1 sshd_authentication system5.xyz.com:192.168.1.2(1)
user2 sshd_authentication system12.xyz.com:192.168.1.42(2)
system24.xyz.com:192.168.1.29(12)
user3 sshd_authentication system15.xyz.com:192.168.1.24(7)
I want to modify this to add a column to give me the 30-day average for each user on the respective system. A sample output would be (or something similar):
user eventtype Daily Avg
---- --------- ----- -----
user1 sshd_authentication system5.xyz.com:192.168.1.2(1) 5
user2 sshd_authentication system12.xyz.com:192.168.1.42(2) 3
system24.xyz.com:192.168.1.29(42) 1
user3 sshd_authentication system15.xyz.com:192.168.1.24(7) 7
I'm having trouble getting this to work. Can anyone offer any suggestions on what the best way would be to accomplish this? Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
justinatpnnl
Communicator
06-08-2016
06:01 PM
This one is a little tricky because you need to search a month of data in order to get the average, but still process daily results as well. Here was my stab at it, searching over the "Last 30 Days":
index=os_linux NOT root tag=authentication NOT tag=failure
| bucket _time span=1d
| stats count(eval(_time=relative_time(now(),"@d"))) as count, count as total by host, user, eventtype, src_ip
| search eventtype=*authentication*
| eval dest_count=host+":"+src_ip+"("+count+")", average=total/30
| stats values(dest_count) as Daily, values(average) as Average by user, eventtype
By bucketing the _time in 1 day increments, we can grab just the count of today's events and the total count. Will this do the trick for you?
Get Updates on the Splunk Community!
What's New in Splunk Observability - November 2025
Feature Highlight
Analyze your dimensions and metrics with Usage Analytics
To help optimize telemetry data ...
Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...
Hi friends!
At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Watch On Demand the Tech Talk, and empower your SOC to reach new heights!
Duration: 1 hour
Prepare to ...
