Splunk Search

How to search the average number of events per day by severity?

502087470
New Member

I have a macro that breaks out events by severity. I am trying to look at the average number of events by severity averaged for each day of the week and each hour. I'm using the following and it is breaking out events by severity but not populating the average number events for each day of the week and I'm missing the hour of each day of the week.

| bucket _time span=1d
| eval DayOfWeek=strftime(_time, "%a")
| stats avg(severity) AS Avg by DayOfWeek, severity

My results are:

DayOfWeek   severity         Avg
Wed       high   
Wed       informational  
Wed       low    
Wed       medium     
Wed       info   
Wed       critical   
Tue       critical ...

I'm looking for:

Day of week    hour     severity     average # events
Mon            12:00    critical     200
Mon            1:00     critical     50 
Mon            .....
Tues           12:00    high         50
Tues           1:00     high         25
Tues           2:00     high         15
0 Karma

sundareshr
Legend

Try this

| bucket _time span=1h
| eval DayOfWeek=strftime(_time, "%a %H:%M")
| stats avg(severity) AS Avg by DayOfWeek, severity

And, if you want to split DoW & Hour, you can add this to the end

... | rex field=DayOfWeek "(?<DayOfWeek>\w{3})\s(?<Hour>.*)" | table DayOfWeek Hour severity Avg
0 Karma

502087470
New Member

That gets me closer but doesn't break out each severity per hour, per day, average. It still doesn't populate the average number of events and I can't seem to figure out why.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...