Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

while using streamstats avg(daycount) the resulting stats are out of order

caseygj
Explorer
‎01-15-2020 08:30 AM

My current search string looks like this:

index=cisco host=cr0* OR host=SC0* | stats count as daycount by date_month, date_mday | streamstats avg(daycount) | sort by date_month,date_mday | fields - date_month

I am looking for a daily average (daycount) and comparing it to actual events over a 30 day period of time.

I thought everything was going well until I got to day 10 of the this month and its clear the daycount value is being sorted incorrectly it's being sorted as txt not as a value. i sense it has something to do with the streamtats but it's not clear to me how to fix it.

My results look like this (any thoughts or suggestions on how to correct the order of the results from the streamstats for avg(daycount) would be appreciated.

The chart should be showing a rapid decline Avg(Daycount)

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jpolvino
Builder
‎01-15-2020 09:04 AM

One way to solve this would be to use a time sorter field, sort by it, do your streamstats, and then throw it away. Does this get you closer?

index=cisco host=cr0* OR host=SC0*
| stats count as daycount first(_time) as timesort by date_month,date_mday
| sort timesort
| streamstats avg(daycount) | fields - date_month timesort

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jpolvino
Builder
‎01-15-2020 09:04 AM

One way to solve this would be to use a time sorter field, sort by it, do your streamstats, and then throw it away. Does this get you closer?

index=cisco host=cr0* OR host=SC0*
| stats count as daycount first(_time) as timesort by date_month,date_mday
| sort timesort
| streamstats avg(daycount) | fields - date_month timesort
0 Karma
Reply
Solved! Jump to solution

caseygj
Explorer
‎01-15-2020 09:57 AM

Thank you, This works excellent.

I see the addition but not entirely clear to me exactly why my original sort on date_month, date_mday did not work. unless it's an order of operations deal where my sort was after the streamstats instead of before it.

I love it though, it works..

I wanted to ward you points for you answer here but it seems I do not have enough Karma to do so (Phhhh, go figure)... I am now on the search for more karma.

🙂 have a nice day jpolvino, you made mine! This is excellent

Reply
Solved! Jump to solution

jpolvino
Builder
‎01-15-2020 10:12 AM

Glad to help out!

Your original sort lost calendar meaning and reverted to lexicographical ordering. If you ran your original search starting in Nov and going to today, you would have seen the months ordered as december, january, november due to this fact. Strip off the very last part of your original search and you'll see this.

0 Karma
Reply
Solved! Jump to solution

caseygj
Explorer
‎01-15-2020 01:47 PM

Wow, I had no idea, thank you for pointing that out. I have this problem in a few other areas that I need to fix then... thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...