How to get an average per day

tefa627 · ‎10-07-2020

I am trying to get an average for the last (x) days for a that specific day and hour.

This search lists a count for the current day. I am trying to achieve an average for a specific field for the last 5 Mondays or Tuesdays or Wednesday..etc. So if today was Monday, the first value, AL-A at 00, would be the average of the past (x) Mondays at 00 for AL-A.

index=net_auth_long
| eval time_hour=strftime(_time,"%H")
| chart count over channel by time_hour limit=30

richgalloway · ‎10-07-2020

See if this helps.

index=_internal earliest=-5w@d
| eval today=lower(strftime(now(),"%a"))
| eval dow=lower(strftime(_time, "%a"))
| where today=dow
| timechart span=1w avg(specifiField) by channel

---
If this reply helps you, Karma would be appreciated.

tefa627 · ‎11-04-2020

What goes in specific field? I need it to be count by haven't use a count command.

How to get an average per day

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

How to get an average per day

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future