Splunk Search

statistic by week days

Communicator

How do I get an average count of operations during current minute using last 3 weeks, for example?
I need to know how to get the distribution of number of operations during the time of day (every minute, or five minutes, for example)

0 Karma
1 Solution

Contributor

In that case you can use the join command with sub searches:


sourcetype="Your Sourcetype" earliest=@w1-2w+9h latest=@w1-2w+10h | chart count as "Two Weeks Ago" by Operation | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1-1w+9h latest=@w1-1w+10h | chart count as "One Week Ago" by Operation] | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1+9h latest=@w1+10h | chart count as "This Week" by Operation] | whatever stats you'd like to do to your results

@w1 is Monday,
1w is 1 week,
2w is 2 weeks,
etc...

If you want to run this every hour as an alert, just get rid of the +9h and +10h time modifiers and set the search to run on an hourly basis and send a mail.

View solution in original post

Contributor

In that case you can use the join command with sub searches:


sourcetype="Your Sourcetype" earliest=@w1-2w+9h latest=@w1-2w+10h | chart count as "Two Weeks Ago" by Operation | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1-1w+9h latest=@w1-1w+10h | chart count as "One Week Ago" by Operation] | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1+9h latest=@w1+10h | chart count as "This Week" by Operation] | whatever stats you'd like to do to your results

@w1 is Monday,
1w is 1 week,
2w is 2 weeks,
etc...

If you want to run this every hour as an alert, just get rid of the +9h and +10h time modifiers and set the search to run on an hourly basis and send a mail.

View solution in original post

Contributor

you could use the in-built _time field instead of extracting the time field using regex. So...

....| chart count as "1wAgo" by _time |
join type=inner _time
[search.....

OR

you could use the timechart command instead of chart.

0 Karma

Communicator

thank you

I think I really need something like this:

sourcetype=MySource operation=MyOp
earliest = -15m@m latest = -0m@m |
rex " (?P\d\d:\d\d)" |
chart count as "0wAgo" by hhmm |
join type=inner hhmm
[search
sourcetype=MySource operation=MyOp
earliest = -1w@m-15m@m latest = -1w@m |
rex " (?P\d\d:\d\d)" |
chart count as "1wAgo" by hhmm |
join type=inner hhmm
[search
sourcetype=MySource operation=MyOp
earliest = -2w@m-15m@m latest = -2w@m |
rex " (?P\d\d:\d\d)" |
chart count as "2wAgo" by hhmm
]
]

0 Karma

Communicator

I need to put the events happened at 9-00 this monday together with the events happenned at 9-00 on monday a week ago, and also two weeks ago. And I want to do this for each time interval.

0 Karma