Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to calculate the average of my search result for past 7 days. Also how can i make my result to display in timechart for 7 days?

pavanae
Builder
‎10-03-2016 12:44 PM

I have a search as follows

field_id="X" | eval b=len(_raw) | stats sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)

Which displays the result in bytes,megabytes and gigabytes for a particullar search.

Now how can i make to display the timechart count for each day and get the average count for the data?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-03-2016 12:48 PM

Try this - Here I'm just replacing stats sum(b) with timechart span=1d sum(b). When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)

field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)

UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:

earliest: -7d@d
latest: @d

That will run precisely a 7 day timerange.

Then you can calculate the average fo those just by tacking on an extra 

| stats avg(mb) as MB  avg(gb) as GB

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-03-2016 12:48 PM

Try this - Here I'm just replacing stats sum(b) with timechart span=1d sum(b). When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)

field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)

UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:

earliest: -7d@d
latest: @d

That will run precisely a 7 day timerange.

Then you can calculate the average fo those just by tacking on an extra 

| stats avg(mb) as MB  avg(gb) as GB
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-03-2016 01:00 PM

Just add " | eventstats avg(gb) as Avg " at the end for the average for that time period.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-03-2016 01:07 PM

D'oh - thanks somesoni2. I neglected to follow through all the way and write up how to do the avg-per-day. I've updated the answer.

0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎10-03-2016 12:58 PM

And How to calculate average(mb) for the past 7 days?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...