How to Build Average of Last 4 Monday(Current day)...

tonishantsms · ‎09-18-2023

Hey @carasso and @splunk team

I want to build the splunk query using the below requirements:

Data Source: sourcetypepcf app_name=xyz HTTP_PATH="/*"
Time Frame: The query should cover a 4-week period (earliest=-4w).
Display: Calculate and display the average count per hour for the current day of the week for HTTP_STATUS_CODE.

Using the reference #https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Chart-Average-of-Last-4-Thursdays-vs-Tod....

We build the query but while we calculate the average we are getting zero results.

Query is - [search ] earliest=-4w | eval current_day = strftime(now(), "%A") | eval log_day = strftime(_time, "%A") | where current_day == log_day | timechart span=1h avg(count) by HTTP_STATUS_CODE.

I would except to take the average by hour for all 4 days and build the timechart span by 1hours for 24 hours.

Can you please for the same...

ITWhisperer · ‎09-18-2023

Try something like this

[search ] earliest=-4w 
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE 
| chart avg(count) as average by hour HTTP_STATUS_CODE

How to Build Average of Last 4 Monday(Current day) vs Today in a Timechart for HTTPS_CODE ?

using Splunk Enterprise

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform