Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to list and plot total and average events by hour?

ejohn
Path Finder
‎10-13-2022 05:31 PM
I'm trying to do something pretty straightforward, and have looked at  practically every "average" answer on Splunk Community, but no dice.  I want to compare total and average webpage hits on a line chart.  I calculated and confirmed the standard (fillnull value=0) and cumulative (fillnull value=null) averages with the following:
 
host....
| bin _time span=1h
| eval date_hour=strftime(_time, "%H")
| stats count as hits by date, date_hour
| xyseries date, date_hour, hits
| fillnull value=0
|appendpipe
    [| untable date, date_hour, hits
     | eventstats avg(hits) as avg_events by date_hour
     | eval "Average Events"= avg_events
     | xyseries date date_hour avg_events
     | head 1
     | eval date="Average Events"]
 
 
How do I plot hits and avg_events on a line chart by date_hour?  Also,  if there is less convoluted SPL to get the same results, I'd love to know that as well—because I think I found where Google ends.
 

Thanks! 

Labels (6)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2022 11:27 PM

Hi @ejohn,

if you grouped timestamps for hours using the bin command, you dont need the following commands, please try something like this:

 

<your_search>
| eventstats count AS total
| bin _time span=1h
| stats values(total) AS total count BY _time
| eval average=count/total

 

If I didn't center your requirement, please share a sample of the desidered output

Ciao.

Giuseppe

0 Karma
Reply

ejohn
Path Finder
‎10-14-2022 10:30 AM
Ciao @gcusello ,
 
I've played around with the commands a bit, but still not getting the desired results.  I may not have explained well in my initial post, but I'm trying to get event counts and averages for a specific time range.  For example, if I have the following in my data:
 
date011217
08-01-20221  
08-02-20221 2
08-03-2022 17
08-04-20221  
 
I'd like to calculate the averages as follows:
 
standard avg = Σ events/# of events
cumulative avg = Σ events/# of days
 
date_hourΣ events# events# daysstandard avg cumulative avg
0133610.50
1211610.16667
179264.51.5
 

The calculations would be executed separately so I can plot one line chart with Σ events vs standard avg and another with Σ events vs. cumulative avg.   The table for standard average would look like this: 

date_hourΣ events# eventsstandard avg 
01331
12111
17924.5

 

Thanks for the help! 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2022 03:16 AM

Hi @ejohn,

ok, your first table could be created using this search:

<your_search>
| eventstats count AS total
| bin _time span=1h
| chart count OVER _time BY hits

 Instead to arrive to the final table, you could try something like this example:

index=_internal 
| eventstats count AS total
| stats values(total) AS total dc(date_hour) AS date_hour count BY sourcetype
| eval average=round(count/total*100,2), cumulative=count/date_hour

in your case, you should try something like this.

<your_search>
| eventstats count AS total
| eval day=strftime(_time,"%m/%d/%Y")
| stats values(total) AS total dc(day) AS days count BY sourcetype
| eval average=round(count/total*100,2), cumulative=round(count/days,2)

Ciao.

Giuseppe

0 Karma
Reply

ejohn
Path Finder
‎11-01-2022 05:26 PM

Hi @gcusello ,

You put me on the right track!  I modified what you provided to calculate the average:

| eventstats count AS total by date_hour
| eval day=strftime(_time,"%m/%d/%Y")
| stats dc(day) AS days count BY date_hour
| eval average=round(count/days,2)
| sort by date_hour
| rename count as SumOfEvents, days as NumOfEvents

 

I used the syntax below separately to calculate the number of days in my selected date range.  So for the month of August, TotalDays will have a value of 31.

| eventstats dc(date_mday) as daysNmonth
| timechart sum(daysNmonth)
| stats count(_time) as TotalDays

 
I'm having trouble incorporating TotalDays with the first block of syntax to calculate:  

cumulative=round(SumOfEvents/TotalDays,2)


0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-02-2022 12:31 AM

Hi @ejohn,

I cannot test your search, but it should run:

| eventstats count AS total by date_hour
| eval day=strftime(_time,"%m/%d/%Y")
| eventstats dc(date_mday) as daysNmonth
| eventstats count(_time) as TotalDays
| stats 
   dc(day) AS days 
   values(daysNmonth) AS daysNmonth 
   values(TotalDays) AS TotalDays 
   count 
   BY date_hour
| eval average=round(count/days,2)
| sort by date_hour
| rename count as SumOfEvents, days as NumOfEvents
| eval cumulative=round(SumOfEvents/TotalDays,2)

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...