I have a search as follows
field_id="X" | eval b=len(_raw) | stats sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)
Which displays the result in bytes,megabytes and gigabytes for a particullar search.
Now how can i make to display the timechart count for each day and get the average count for the data?
Try this - Here I'm just replacing stats sum(b)
with timechart span=1d sum(b)
. When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)
field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)
UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:
earliest: -7d@d
latest: @d
That will run precisely a 7 day timerange.
Then you can calculate the average fo those just by tacking on an extra
| stats avg(mb) as MB avg(gb) as GB
Try this - Here I'm just replacing stats sum(b)
with timechart span=1d sum(b)
. When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)
field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)
UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:
earliest: -7d@d
latest: @d
That will run precisely a 7 day timerange.
Then you can calculate the average fo those just by tacking on an extra
| stats avg(mb) as MB avg(gb) as GB
Just add " | eventstats avg(gb) as Avg
" at the end for the average for that time period.
D'oh - thanks somesoni2. I neglected to follow through all the way and write up how to do the avg-per-day. I've updated the answer.
And How to calculate average(mb) for the past 7 days?