Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

get average actions per hour

h3xm0nk37
New Member
‎04-04-2018 11:53 AM

Hello,

Sorry for may what be an easy question, I have been searching for hours to find a solution to my problem. I have an audit log which I want to get the average number for every "action" performed in an hour since logging began. There are a number of possible actions, for example, search, edit, delete.

An example log looks like this: 

timestamp=04-04-2018 19:42:35.072, user=admin, action=search
timestamp=04-04-2018 19:43:35.075, user=admin, action=edit
timestamp=04-04-2018 19:44:35.071, user=admin, action=delete
timestamp=04-04-2018 19:44:37.072, user=admin, action=search

I want the table output to look like this:

Action                           Total_Average_Per_Hour

Search                                      6
Edit                                        3
Delete                                      2
0 Karma
Reply

elliotproebstel
Champion
‎04-04-2018 12:58 PM

Assuming your logs are formatted exactly as posted, this should do it for you:

|eval time=strptime(timestamp, "%m-%d-%Y %H") 
| stats count by action, time
| stats avg(count) AS Total_Average_Per_Hour by action

It parses the timestamp with granularity down to the hour, counts the number of events per [action:hour] pairing, then calculates the average per action.

0 Karma
Reply

h3xm0nk37
New Member
‎04-04-2018 01:49 PM

Thank you! That seems to be working. 

0 Karma
Reply

elliotproebstel
Champion
‎04-04-2018 06:45 PM

Yup! Sure is.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...