Hi, I get the exactly same count for avg and peak, any issue with my query?
index=a sourcetype=ab earliest=-30d latest=now | bucket _time span=1mon | stats count by _time | eval date_month=strftime(_time, "%b") | eval date_day=strftime(_time, "%a") | stats avg(count) as AverageCountPerDay max(count) AS Peak_Per_Month by date_month, date_day
date_month date_day AverageCountPerDay Peak_Per_Month
Bucket is setting each _time to the beginning of the month, stats is counting for that day so you are only getting one count for each month, so average and max are the same
What is the query I should use?
| bin _time span=1d