Solved: Re: How to create a string that produce a weeks wo...

reverse · ‎06-03-2019

How would I create a result like below: in avg(v2) of Last week and avg(v2) of current week
Please guide.
Thanks.

    date          v1       v2
    05-22-2019  22.1     4
    05-22-2019  22.38   1
    05-23-2019  22.46   0.4
    05-24-2019  23.02   2.5
    05-24-2019  23.26   1.0
    05-25-2019  23.46    0.86
    05-27-2019  23.5     0.17
    05-28-2019  24.09   3
    05-30-2019  24.79   2.9
    05-30-2019  25.1     1
    05-31-2019  25.45   1
    06-01-2019  25.8     1
    06-02-2019  25.84   0.16

Vijeta · ‎06-03-2019

@reverse- You can try below

<your search> | eval new_date=strptime(date,"%m-%d-%Y")| eval week=strftime(new_date,"%U") | eventstats avg(v2) as average_v2 by week

View solution in original post

Vijeta · ‎06-03-2019

@reverse- You can try below

<your search> | eval new_date=strptime(date,"%m-%d-%Y")| eval week=strftime(new_date,"%U") | eventstats avg(v2) as average_v2 by week

aromanauskas · ‎06-03-2019

You need to pull the week number out of the date.

| eval week_number=strftime(date,"%W")

If you then want to calculate the results for the current vs other weeks you can do some other evals such as

|eval this_week_number=strftime(now(),"%W") | eval weeks_ago=this_week_number - week_number

Need more information to determine how you would want the stats to look.

How to create a string that produce a weeks worth of averages?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to create a string that produce a weeks worth of averages?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases