Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search a weekly average and daily tota...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search a weekly average and daily total?
Hi Sir:
The first query I calculate the daily amount, calculated after the date +7 days, the average amount of 5/9 to 5/16, the field name is Totalweekqty, Totalweekqty still calculate the number of the day. How do i make |search now < week| or | where now < month | working? Thank you.
sourcetype=xxx PartNo=123 VendorCode=1000 storage_in_date=2014-05-09*
| eval Indate = substr(storage_in_date, 1, len(storage_in_date)-13)
| eval now = strptime(Indate, "%Y-%m-%d")
|eval week=(now+604800)
|eval month=(now+2592000)
| stats sum(qty) as Totaldayqty values(now) as now values(week) as week values(month) as month by VendorCode,PartNo
|search now < week
| stats values(Totaldayqty) as Totaldayqty avg(Totaldayqty) as Totalweekqty values(now) as now values(week) as week values(month) as month by VendorCode,PartNo
| where now < month | stats values(Totaldayqty) as Totaldayqty values(Totalweekqty) as Totalweekqty avg(Totalweekqty) as Totalmonthkqty by VendorCode,PartNo |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys, finally use "delta" command, thank you everybody kindly support.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting started with stats, eventstats and streamstats may be what you are looking for.
http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/
If that does not help more info will be needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to scrap everything after the first pipe ("|"), show us a few events from your base search, and then clearly explain what you are trying to accomplish. Your search makes no sense and there is not enough explanation to allow us to understand what you are trying to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As you are constructing week and month from now, following case will be always true
now < week < month
Also, for all the events, you will get same values for now, week, and month.
Can you please explain what is required? If possible, share some sample events and what is the expected output.
Thanks!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
