Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

typical week base on month data

JakubJ
Explorer
‎09-01-2020 11:25 PM

Hello,

I'm trying to chart typical week of our web application users based on data from last 4 weeks. Idea is, roughly explained, that I would calculate sum of request group (login, user accounts, etc - already done) per day and then created some type of "7 day window" in which there would be (seen in a graph) only 7 days but each day would be average of that day from last month.

So in a graph there would be (for example in case of request_group='login'):

Monday - 10 - which si average of sum in all mondays (10, 10, 5, 15, 10)
Tuesday - 8 - which is avg of sum in all tuesdays (8, 10, 6, 8, 😎
...and so on up until Sunday

part of my search is:

host "server" sourcetype="access_combined"
... some eval stuff ...
| fields _time request_group
... here should by magic calculating data ...

Thank you in advance. I've already tried different approach using streamstats or timewrap, but nothing worked as I intended.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-01-2020 11:42 PM 
index=_internal sourcetype=splunkd_access
| bin _time span=1d
| stats count by date_wday,_time
| stats avg(count) as average by date_wday
————————————
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-01-2020 11:42 PM 
index=_internal sourcetype=splunkd_access
| bin _time span=1d
| stats count by date_wday,_time
| stats avg(count) as average by date_wday
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

JakubJ
Explorer
‎09-02-2020 12:38 AM

thank you for your hint. I was able to include this into my search, so last part in my case looks like this:

 

host "server" sourcetype="access_combined"
... some eval stuff ...
| fields date_wday _time request_group
| search request_group!="other"
| bin _time span=1d
| stats count by date_wday,request_group,_time
| chart avg(count) as prumer by date_wday,request_group
| eval sort_field = case(date_wday=="monday", 1,
    date_wday=="tuesday", 2,
    date_wday=="wednesday", 3,
    date_wday=="thursday", 4,
    date_wday=="friday", 5,
    date_wday=="saturday", 6,
    date_wday=="sunday", 7)
| sort 0 sort_field

 

 

sorting is based (coppied 🙂 ) from https://community.splunk.com/t5/Splunk-Search/Days-in-Alphabetical-Order-but-need-to-be-in-day-order...

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-02-2020 12:14 AM

please like my answer if it solves your problem.:)

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...