Splunk Search

How do you find the average count within a time range?

Motivator

I have the following search that shows users who are continuously being infected over a 30 day period:

index=foo
| stats count range(_time) as TimeRange by user src app app:category app:subcategory threat url
| where TimeRange>1800 
| where NOT zone="null"
| eval TimeRange_In_Hours = round(TimeRange/3600,2), TimeRange_In_Days = round(TimeRange/3600/24,2)

is it possible to show the avg count within the time range being returned per user?

Thx

Ultra Champion

What average do you want to calculate?

0 Karma

Motivator

If possible, the avg hits within the TimeRangeInHours

Thx

0 Karma

Ultra Champion

So avg number of hits per hour? If count is the total number of hits, just do | eval avg_hits = count / TimeRange_In_Hours. Or am I not understanding your objective?

Motivator

That was it - I was overthinking the issue when it ended being very simple

Thx!

0 Karma

SplunkTrust
SplunkTrust

Can we have some sample output, with example/dummy data?

0 Karma

Motivator

Sure thing:

user src app app:category app:subcategory threat url count TimeRange TimeRangeInDays TimeRangeInHours
jdoe x.x.x.x web-browsing general-internet internet-utility Virus/Win32.WGeneric.pppda(195251778) AliMiserUpdate.exe 4 2703 0.03 0.75
msmith x.x.x.x web-browsing general-internet internet-utility Virus/Win32.WGeneric.pppda(195251778) AliMiserUpdate.exe 7 7931 0.09 2.2
rjones x.x.x.x web-browsing general-internet internet-utility Generic User-Agent Traffic(10015) www.cnki.net/elearning/JournalMgr/JConfig.ini 3 23714 0.27 6.59
mhammer x.x.x.x web-browsing general-internet internet-utility Veil-Evasion Payload Detected(39480) openblas_warpper.dll 13 5853 0.07 1.63

0 Karma