Splunk Search

How to achieve average number of events per unit of time in different days of the week?



How I can compare load during the same time every day for business days?

I.e. time 11:oo AM - 7:00 PM on Monday, Tuesday -----, Friday
Monday - 3200
Tuesday  - 3300
Wednesday - 5400
Thursday - 3200
Friday - 3100


Labels (1)
Tags (1)
0 Karma


Here's one way to get the figures for business hours.

| tstats count where index=foo earliest=-7d by _time span=1h
```Get the day of the count```
| eval day=strftime(_time,"%A")
```Get the hour of the count```
| eval hour=strftime(_time,"%H")
```Discard counts on weekends.  Keep only those during business hours```.
| where ((NOT day IN ("Saturday", "Sunday")) AND (hour>=11 AND hour<19))
```Total by day```
| stats sum(count) as count by day

What do you mean by "compare"?

If this reply helps you, an upvote would be appreciated.
0 Karma


Hi. Thank you for the reply. 
What I am trying to achieve is to see if let say number of request per server either much higher or much lower than typical load for the same time of the same day of the week.
I.e. a server team see CPU utilization spiked at 07:30 AM on Wednesday with no visible reason.
I would check if the number of connections in the same range as it was a week ago  at 07:30 AM on last Wednesday or traffic is higher and could cause CPU spike.


0 Karma