Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I show a numeric average of last X days...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I am trying to create a timechart report that displays both average of a numeric value of last 7 days and real time value in 30sec realtime window.
The data looks like this:
2012/03/16 15:29:44 number=2090 uname=uid19 loc=area1_section8 ipaddr=10.1.1.31 result=success
2012/03/16 15:29:44 number=4816 uname=uid44 loc=area0_section4 ipaddr=10.1.1.19 result=success
2012/03/16 15:29:44 number=7542 uname=uid5 loc=area0_section9 ipaddr=10.1.1.7 result=success
2012/03/16 15:29:44 number=269 uname=uid30 loc=area2_section5 ipaddr=10.1.1.32 result=failed
I came up with the following search and set the time range to 30 sec window.
index=test sourcetype=sample2 | eventstats mean(number) as mean | timechart avg(mean) max(number)
However, the average, mean value changes as events get indexed because the eventstats calculates only mean in recent 30 sec window.
Is there search that calculate last 7 days mean and use the mean as fixed value while realtime search is running so the mean value does not get calculated in realtime with recent 30 sec realtime value?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure this is right way, but Icame up with the following:
Create summary index for 7 day average
index=test earliest=-7d@d latest=@d | stats avg(number) as mean | addinfo | collect index=summary addinfo marker="info_search_name=\"7day_avg_num\""
Search from summary index and put the average value using eval + subsearch
index=test | eval 7day_avg=([search index=summary info_search_name="7day_avg_num" | head 1 | rename mean as search]) | timechart avg(7day_avg), avg(number)
Any comment appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure this is right way, but Icame up with the following:
Create summary index for 7 day average
index=test earliest=-7d@d latest=@d | stats avg(number) as mean | addinfo | collect index=summary addinfo marker="info_search_name=\"7day_avg_num\""
Search from summary index and put the average value using eval + subsearch
index=test | eval 7day_avg=([search index=summary info_search_name="7day_avg_num" | head 1 | rename mean as search]) | timechart avg(7day_avg), avg(number)
Any comment appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
