Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Build Average of Last 4 Monday(Current day) vs Today in a Timechart for HTTPS_CODE ?

tonishantsms
Observer
‎09-18-2023 01:43 AM

Hey @carasso and @splunk team

I want to build the splunk query using the below requirements:

  • Data Source: sourcetypepcf app_name=xyz HTTP_PATH="/*"
  • Time Frame: The query should cover a 4-week period (earliest=-4w).
  • Display: Calculate and display the average count per hour for the current day of the week for HTTP_STATUS_CODE. 

Using the reference #https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Chart-Average-of-Last-4-Thursdays-vs-Tod....

We build the query but while we calculate the average we are getting zero results.

Query is - [search ] earliest=-4w | eval current_day = strftime(now(), "%A") | eval log_day = strftime(_time, "%A") | where current_day == log_day | timechart span=1h avg(count) by HTTP_STATUS_CODE.

I would except to take the average by hour for all 4 days and build the timechart span by 1hours for 24 hours.

 

Can you please for the same...

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-18-2023 03:27 AM

Try something like this

[search ] earliest=-4w 
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE 
| chart avg(count) as average by hour HTTP_STATUS_CODE
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...