Splunk Search

How to edit my search to show a line of an average over the last 30 days on a column graph?

SecureIA
Path Finder

Hi helpful people,

I wish to display on a column graph an average line for my search. My current search is as follows:-

host=CATSG14 "INTGWAUTH" AND "Failed login" earliest=-30d@d latest=now | timechart span=1d count

Is there anyway to show an average bar on the graph? Any help will be truly appreciated.

1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Yes, there are lots of ways. A simple way would be to use trendline:

host=CATSG14 "INTGWAUTH" AND "Failed login" earliest=-30d@d latest=now 
| timechart span=1h count
| trendline sma5(count) as 5hour_average

You can change the 5 of sma5 to something else, e.g. a 24 hour average with | trendline sma24(count)


Docs for trendline can be found here.

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

Yes, there are lots of ways. A simple way would be to use trendline:

host=CATSG14 "INTGWAUTH" AND "Failed login" earliest=-30d@d latest=now 
| timechart span=1h count
| trendline sma5(count) as 5hour_average

You can change the 5 of sma5 to something else, e.g. a 24 hour average with | trendline sma24(count)


Docs for trendline can be found here.

SecureIA
Path Finder

thanks for your reply aljohnson!! I tried this, however I simply get another bar instead of a trendline :confused_face:

0 Karma

SecureIA
Path Finder

Thanks alot guys, I managed this :slightly_smiling_face:

0 Karma

somesoni2
Revered Legend

You would have to select the overlay option to set the new field as overlay field. See here

http://docs.splunk.com/Documentation/Splunk/6.1/Viz/Chartcontrols#Chart_overlay_example_.28dual_axis...

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...