Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get today's and last 7 day's average in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a query
index=errors earliest=@d latest=now |stats count(ErrorCode) as ErrorCountForToday by host
I would like this query to show me error count for today (as doing already) and the average error count for the last 7 days . so that I can compare how much increase decrease happened.
Currently we are using a input csv which populates a file with 7 days average data and we pick it up from there.
Let me know if that is achievable from the query.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=errors earliest=-7d@d latest=now
| timechart span=1d count(ErrorCode) AS ErrorCount BY host
| untable _time host count
| eval start_of_today = relative_time(now(), "@d")
| eval when= if((_time >= start_of_today), "Today", "Last Week")
| chart avg(count) AS count BY when
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=errors earliest=-7d@d latest=now
| timechart span=1d count(ErrorCode) AS ErrorCount BY host
| untable _time host count
| eval start_of_today = relative_time(now(), "@d")
| eval when= if((_time >= start_of_today), "Today", "Last Week")
| chart avg(count) AS count BY when
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
Thanks for your answer. But when I am running this, I am only seeing today's data, not the average of 7 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are quite correct; there was a flaw in my original answer. Try the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is the updated query, could you please tell
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I edited the answer so the one that you see is the fixed one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks much @woodcock.
Actually I am looking something like below -
Single Table containing -
stats count by DID TN - for today
avg count for last 7 day by DID and TN
deviation of today vs. Last 7 day avg count.
e.g.
DID TN Today Last7Dayavg Deviation - Today vs Last 7 day avg
123 A 230 330 -100
124 B 90 70 20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please help, could not able to do this for a long.......
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ask a new question and @-me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this is working now. 🙂
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
