Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to to take median of number of users logged in past 1 hour 

Rocky31
Path Finder
‎04-23-2018 08:48 AM

index=XXX sourcetype="XXX-log" opName="LoginUser"    earliest=-60m latest=now()   | bucket _time span=10m | timechart  count

Any help would be appriciated 🙂

0 Karma
Reply

elliotproebstel
Champion
‎04-23-2018 09:24 AM

Based on how you've written your test query above, I think you're saying you want to count the number of user login events per every ten minutes in the last hour and then find the median of those counts. If so:

index=XXX sourcetype="XXX-log" opName="LoginUser"    earliest=-60m latest=now()
| bin _time span=10m
| stats count by _time
| stats median(count) as median_count
0 Karma
Reply

Rocky31
Path Finder
‎04-24-2018 06:38 AM

Thanks much for the help 🙂

can you also guide me on how to take median of 2 weeks (current and last week ) of past 1 hr values on same day of the week.

index=XXX sourcetype="XXX-log" opName="LoginUser" earliest=-60m latest=now() | bin _time span=10m | stats count by _time | stats median(count) as median_count | appendcols [search index=XXX sourcetype="XXX-log" opName="LoginUser" earliest=-10140m latest=-10080m | bucket _time span=10m |timechart count as LastWeek

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...