Splunk Search

Is it possible to show a column chart of the average log count per hour over several days?

cmeyers
Explorer

I apologize if this as been asked before. The examples I have found are a bit too much, as what I want to achieve is hopefully simple.

I would like to show a column graph showing the average amount of logs received by hour over the last 7 days. The graph needs to have 24 hours as columns and their average count by hour over 7 days. So my search is as simple as:

device_type=firewall | timechart span=1h ?

Do you do a timechart with a span of 1h to get the hourly averages over the several days? I am not sure how to average them from there. Do I need a query for each hour of the day? I would assume I would have the search time going back as far as I want the log average to be effected by.

Any help would be appreciated!

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this (assuming you want avg count for that hour for x days).

device_type=firewall | timechart span=1h count | eval Hour=strftime(_time,"%H:%M") | stats avg(count) as Avg_count by Hour

So if for past 7 days, the count for hour 10:00 is 1,2,3,4,5,6 and 7 then Avg_count for 10:00 should be 4.

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this (assuming you want avg count for that hour for x days).

device_type=firewall | timechart span=1h count | eval Hour=strftime(_time,"%H:%M") | stats avg(count) as Avg_count by Hour

So if for past 7 days, the count for hour 10:00 is 1,2,3,4,5,6 and 7 then Avg_count for 10:00 should be 4.

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...