Splunk Search

How to edit my search to get an average of the total count for the last X days?

athorat
Communicator

I am getting a total count by using

index=aap_prod sourcetype="ECS:PROD:CATALINA" (ECSSearchType=autocomplete OR ECSSearchType=search)| stats count(ECSSearchType)

How do I get an avg of the count for last 7 days or 30 days based on the time picker?

Tags (3)
0 Karma
1 Solution

HiroshiSatoh
Champion

try this!

index=aap_prod sourcetype="ECS:PROD:CATALINA" (ECSSearchType=autocomplete OR ECSSearchType=search)| timechart span=d count(ECSSearchType) as count|stats avg(count) 

View solution in original post

HiroshiSatoh
Champion

try this!

index=aap_prod sourcetype="ECS:PROD:CATALINA" (ECSSearchType=autocomplete OR ECSSearchType=search)| timechart span=d count(ECSSearchType) as count|stats avg(count) 

athorat
Communicator

Thanks for the reply.
So heres the thing. The total count for last 24 hours is 307 and the average for last 24 hours is 153
How is it calculating the average.
should it not be the " total/number of day" ?

0 Karma

HiroshiSatoh
Champion

This is because the past 24 hours is over two days.

| timechart span=d count(ECSSearchType) as count
_time,count
10/2,1
10/3,2
10/4,3
10/5,4
10/6,5
10/7,6
10/8,7

|stats avg(count) 
(1+2+3+4+5+6+7)/7day
0 Karma

HiroshiSatoh
Champion

This is because the past 24 hours is over two days.

timechart span=d count(ECSSearchType) as count

_time count

10/02 100
10/03 101
10/04 102
10/05 103
10/06 104
10/07 105
10/08 106

|stats avg(count)
(100+101+102+103+104+105+106)/7(day)

However, there are cases such as the following.

10/4 10/5 -> NO DATA

_time count

10/02 100
10/03 101
10/06 104
10/07 105
10/08 106

|stats avg(count)
(100+101+104+105+106)/5(day)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...