hi folks -
i'm trying to plot a timechart with two separate values:
1 - the raw event count (a.k.a total number of "transactions") over time
2 - the value of said raw event count over time, divided by the number of unique / distinct users
i'd also like to try and get a 3rd single value which represents the average number of transactions for any given day across the whole deployment. i imagine that'd be a saved search based on the search above, which i can summarise.
the deployment consists of several cisco WSAs submitting their access log data.
** note that "users" who do not authenticate show up as user_id="-" however i've used eval to substitute the device IP (dvc_ip) wherever that hyphen occurs, for cleaner data.
eval user_id=if(user_id=="-",dvc_ip,user_id)
cheers,
andrew
Perhaps this can give you some insights regarding the use of timechart, eventstats, eval
and addtotals
. It's based on _internal
data, so you can run it for yourself.
index=_internal sourcetype=splunkd earliest=-5d@d latest=@d
| timechart span=1d c by group limit=0 useother=f
| addtotals fieldname=Daily_Total
| eventstats avg(Daily_Total) AS Total_Avg
| eval Total_Avg=round(Total_Avg,1)
| eval Total_Diff = Daily_Total - Total_Avg
Hope this helps,
K