Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Average Failed Logins by Day of Week For Last 90 Days

SplunkLunk
Path Finder
‎09-14-2020 08:36 AM

Greetings,

The search I am using currently is giving me the total number of failed logins by day of the week for the last 90 days:

| base search event="login_fail"
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count by weekday
| stats avg(count) by weekday

The problem is I want to find the daily average number of failed logins for the last 90 days.  For example, in the search above is shows a total of 625 failed logins for Fridays.  The last line of the search isn't providing any value so it's not needed.  Is there a way to modify my search to get that average number instead of the total count for Fridays?  For example, since there are ~12 Fridays over the last 90 days that would come out to ~52 failed logins on Fridays (12 * 52 is where I get the 625).    Thanks for any help.

Labels (2)
Labels
0 Karma
Reply

danielansell
Path Finder
‎09-15-2020 08:50 AM

Try this:

| base search event="login_fail"
| eval weekday=strftime(_time,"%A"), date=strftime(_time,"%x")
| stats count by date, weekday
| stats avg(count) by weekday

0 Karma
Reply

SplunkLunk
Path Finder
‎09-14-2020 10:53 AM

I want to do what the person in this old post tried to do but the solution there isn't working for me:

https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2020 09:01 AM

Try this variation of your query.

base search
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count, dc(date_mday) as days by weekday
| eval avg=count/days
| table weekday avg
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SplunkLunk
Path Finder
‎09-14-2020 09:02 AM

Thanks for the response.  But that search doesn't produce any results in the "avg" column.  It's blank.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-14-2020 02:19 PM

Hi

can you check your base search as this is working for me

index=_internal earliest=-1mon
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count, dc(date_mday) as days by weekday
| eval avg=count/days
| table weekday avg
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...