Splunk Search

Is it possible to show a column chart of the average log count per hour over several days?

cmeyers
Explorer

I apologize if this as been asked before. The examples I have found are a bit too much, as what I want to achieve is hopefully simple.

I would like to show a column graph showing the average amount of logs received by hour over the last 7 days. The graph needs to have 24 hours as columns and their average count by hour over 7 days. So my search is as simple as:

device_type=firewall | timechart span=1h ?

Do you do a timechart with a span of 1h to get the hourly averages over the several days? I am not sure how to average them from there. Do I need a query for each hour of the day? I would assume I would have the search time going back as far as I want the log average to be effected by.

Any help would be appreciated!

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this (assuming you want avg count for that hour for x days).

device_type=firewall | timechart span=1h count | eval Hour=strftime(_time,"%H:%M") | stats avg(count) as Avg_count by Hour

So if for past 7 days, the count for hour 10:00 is 1,2,3,4,5,6 and 7 then Avg_count for 10:00 should be 4.

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this (assuming you want avg count for that hour for x days).

device_type=firewall | timechart span=1h count | eval Hour=strftime(_time,"%H:%M") | stats avg(count) as Avg_count by Hour

So if for past 7 days, the count for hour 10:00 is 1,2,3,4,5,6 and 7 then Avg_count for 10:00 should be 4.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...