Splunk Search

How to search the average number of events per day by severity?

502087470
New Member

I have a macro that breaks out events by severity. I am trying to look at the average number of events by severity averaged for each day of the week and each hour. I'm using the following and it is breaking out events by severity but not populating the average number events for each day of the week and I'm missing the hour of each day of the week.

| bucket _time span=1d
| eval DayOfWeek=strftime(_time, "%a")
| stats avg(severity) AS Avg by DayOfWeek, severity

My results are:

DayOfWeek   severity         Avg
Wed       high   
Wed       informational  
Wed       low    
Wed       medium     
Wed       info   
Wed       critical   
Tue       critical ...

I'm looking for:

Day of week    hour     severity     average # events
Mon            12:00    critical     200
Mon            1:00     critical     50 
Mon            .....
Tues           12:00    high         50
Tues           1:00     high         25
Tues           2:00     high         15
0 Karma

sundareshr
Legend

Try this

| bucket _time span=1h
| eval DayOfWeek=strftime(_time, "%a %H:%M")
| stats avg(severity) AS Avg by DayOfWeek, severity

And, if you want to split DoW & Hour, you can add this to the end

... | rex field=DayOfWeek "(?<DayOfWeek>\w{3})\s(?<Hour>.*)" | table DayOfWeek Hour severity Avg
0 Karma

502087470
New Member

That gets me closer but doesn't break out each severity per hour, per day, average. It still doesn't populate the average number of events and I can't seem to figure out why.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...