Splunk Search

How to search a weekly average and daily total?

Path Finder

Hi Sir:

The first query I calculate the daily amount, calculated after the date +7 days, the average amount of 5/9 to 5/16, the field name is Totalweekqty, Totalweekqty still calculate the number of the day. How do i make |search now < week| or | where now < month | working? Thank you.

sourcetype=xxx PartNo=123 VendorCode=1000 storage_in_date=2014-05-09*
| eval Indate = substr(storage_in_date, 1, len(storage_in_date)-13)
| eval now = strptime(Indate, "%Y-%m-%d")
|eval week=(now+604800)
|eval month=(now+2592000)
| stats sum(qty) as Totaldayqty values(now) as now values(week) as week values(month) as month by VendorCode,PartNo

|search now < week
| stats values(Totaldayqty) as Totaldayqty avg(Totaldayqty) as Totalweekqty values(now) as now values(week) as week values(month) as month by VendorCode,PartNo

| where now < month | stats values(Totaldayqty) as Totaldayqty values(Totalweekqty) as Totalweekqty avg(Totalweekqty) as Totalmonthkqty by VendorCode,PartNo |

Tags (1)
0 Karma

Path Finder

Hi Guys, finally use "delta" command, thank you everybody kindly support.

0 Karma


Getting started with stats, eventstats and streamstats may be what you are looking for.


If that does not help more info will be needed.

0 Karma

Esteemed Legend

You need to scrap everything after the first pipe ("|"), show us a few events from your base search, and then clearly explain what you are trying to accomplish. Your search makes no sense and there is not enough explanation to allow us to understand what you are trying to do.

0 Karma



As you are constructing week and month from now, following case will be always true

now < week < month

Also, for all the events, you will get same values for now, week, and month.

Can you please explain what is required? If possible, share some sample events and what is the expected output.


0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...