Re: Get a total count for today and weekly average...

Ana01 · ‎04-12-2023

Hello!
I've been trying to solve this problem for a couple days now but can't seem to figure it out.
So basically I want get the total count received for "Field A" today, and get an average of "Field B" for the past week displayed in a single table/result. Field B is the time Field A was received. I will use this then to determine if Field A arrived on time today, but I also need the total count for other purposes.

Example Desired Output

Date Field Count AvgTimeReceived TimeReceived
mm/dd/yy "FieldA" 5 5:00:00 7:00:00

Where columns Date,Field,Count,TimeReceived are from today's events, and AvgTimeReceived is an average for the past 7 days.

Thanks!

woodcock · ‎04-14-2023

index="YourIndexHere" AND sourcetype="YourSourcetypeHere"
| stats count(FieldA) AS FieldA avg(eval(fieldB - relative_time(fieldB, "@d"))) AS AvgTimeReceived

yuanliu · ‎04-13-2023

I have a strong impression that this very use case came up recently but can't remember the solution. You don't seem to need FieldB at all because that is just the _time associated with past events. Here is a rather literal interpretation of your requirement:

FieldA=* earliest=-7d@d
```| fields _time FieldA ```
| eval ToDreceived = _time - strptime(strftime(_time, "%F"), "%F")
| eval todayFieldA = if(_time - strptime(strftime(now(), "%F"), "%F") < 86400, FieldA, null())
| eval todayToDreceived = if(_time - strptime(strftime(now(), "%F"), "%F") < 86400, ToDreceived, null())
| eval previous7dayToDreceived = if(_time - strptime(strftime(now(), "%F"), "%F") < 86400, null(), ToDreceived)
| eventstats count(todayFieldA) as Count
| stats avg(previous7dayToDreceived) as AvgTimeReceived avg(todayToDreceived) as TimeReceived by FieldA Count
| eval Date = strftime(now(), "%m/%d/%y")
| fieldformat AvgTimeReceived = strftime(AvgTimeReceived, "%H:%M:%S") ``` value is still numeric for future calculations ```
| fieldformat TimeReceived = strftime(TimeReceived, "%H:%M:%S") ``` value is still numeric for future calculations ```
| fields Date FieldA Count AvgTimeReceived TimeReceived

Even if you always store time of day in FieldB and that FieldB is in seconds, not a formatted string, performance improvement would still be too small to matter.

bowesmana · ‎04-12-2023

What is Time Received for today's events? Is it an average of today's events - are they of different times and is that the _time field or some other time that represents received time.

When you say a count of FieldA, do all events have FieldA, if so, it's just a count of events.

Does the average of the last 7 days include today's events or the 7 days before today?

Ana01 · ‎04-13-2023

Hello!
So basically it would be for file monitoring.
All events have Field A (which would be filenames) and it could have different values. We are counting events per filename.
Time Received is a separate field we receive in HH:MM:SS format. This will have different value per event as well.

For output, I want to get an average time received for filenameX per day, and then get the average for the whole week.
I then want to do include that in today's search to see if the time we received filenameX today is within the average time it was received for the last week.

Last 7 days will not include today's events.

Thanks!

How to get a total count for today and weekly average index time in one search?

count

eval

timechart

tstats

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?