Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show count increase by percent from average of the last X months?

summitsplunk
Communicator
‎04-18-2018 12:06 PM

Is it possible to

index="myindex" mcType=auditLog | search auditType="*" | stats count by auditType | where count (This is where I don't know what to do)

Is it possible to show where count has increased by 10 percent from the average of the last 12 months.?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎04-18-2018 12:22 PM

Hi,
You are probably looking for something like filter days where count >10% of yearly average.
Try this query as it is, I wrote it on the _audit index so that it works for you as wellindex="_audit" | timechart span=1d count| eventstats avg(count) as avg | where count >=0.1*avg

You need to retro fit your index

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-18-2018 12:45 PM

What's time range you're using for your original query?

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎04-18-2018 12:22 PM

Hi,
You are probably looking for something like filter days where count >10% of yearly average.
Try this query as it is, I wrote it on the _audit index so that it works for you as wellindex="_audit" | timechart span=1d count| eventstats avg(count) as avg | where count >=0.1*avg

You need to retro fit your index

Reply
Solved! Jump to solution

summitsplunk
Communicator
‎04-18-2018 02:38 PM

This is sort of what I'm looking for.

Is there a way to format the query so that it counts by audittype and displays the average next to it like you did for your index?

Like if I did

index="myindex" mcType=auditLog auditType="*" |stats count by auditType

It currently shows as

auditType , count

but I'd love to see

auditType , avg, count

With your query index="myindex" mcType=auditLog auditType=* | timechart span=1d count| eventstats avg(count) as avg | where count >=0.1*avg

I'm getting time, count , average

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎04-19-2018 03:09 AM

index="myindex" mcType=auditLog auditType="*" |stats count by auditType|eventstats avg(count) as avg | where count >=0.1*avg | fields - avg

0 Karma
Reply
Solved! Jump to solution

summitsplunk
Communicator
‎04-19-2018 08:13 AM

Thank you, this was very helpful to steer me in the right direction.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...