Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate average for several prior observations and compare that to the current observation?

samjone
New Member
‎04-27-2017 05:19 AM

Lets say, i have a requirement to show hourly count of payments in a timechart-
And lets say today is Monday.

I will do-

index=payments sourcetype=xyz|timechart span=1h count

Now, i need to show comparative analysis to show how count of payments being observed today at every hourly interval trend up against previous 2 weeks Monday's. So basically additional comparison line showing average of data from previous 2 Mondays for the same time interval.

Eg- Today- Monday number of payments at 10am were 100.
Last week monday, number of payments at 10am were 50
Prior to that week Monday, number of payments at 10am were 10

So, value of 100 should show up in todays line chart and average of 50 and 10...which is 50+10/2=30 should up in second line on the same chart.

And this thing to be done for entire full day.(on hourly basis)

how to do, please advise, Thank you !

0 Karma
Reply

dineshraj9
Builder
‎04-27-2017 05:49 AM

Try below logic -

index=payments sourcetype=xyz earliest=@d latest=now | eval day="today" | timechart span=1h count by day 
| append [ search index=payments sourcetype=xyz earliest=-7d latest=-6d | eval day="last week" | eval _time=_time + 604800 |timechart span=1h count by day ] 
| append [ search index=payments sourcetype=xyz earliest=-14d latest=-13d | eval day="2 weeks back" | eval _time=_time + 604800 * 2 |timechart span=1h count by day ]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...