Splunk Search

how to calculate the average of my search result for past 7 days. Also how can i make my result to display in timechart for 7 days?

pavanae
Builder

I have a search as follows

field_id="X" | eval b=len(_raw) | stats sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)

Which displays the result in bytes,megabytes and gigabytes for a particullar search.

Now how can i make to display the timechart count for each day and get the average count for the data?

1 Solution

sideview
SplunkTrust
SplunkTrust

Try this - Here I'm just replacing stats sum(b) with timechart span=1d sum(b). When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)

field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)

UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:

earliest: -7d@d
latest: @d

That will run precisely a 7 day timerange.

Then you can calculate the average fo those just by tacking on an extra

| stats avg(mb) as MB  avg(gb) as GB

View solution in original post

sideview
SplunkTrust
SplunkTrust

Try this - Here I'm just replacing stats sum(b) with timechart span=1d sum(b). When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)

field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)

UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:

earliest: -7d@d
latest: @d

That will run precisely a 7 day timerange.

Then you can calculate the average fo those just by tacking on an extra

| stats avg(mb) as MB  avg(gb) as GB

somesoni2
SplunkTrust
SplunkTrust

Just add " | eventstats avg(gb) as Avg " at the end for the average for that time period.

0 Karma

sideview
SplunkTrust
SplunkTrust

D'oh - thanks somesoni2. I neglected to follow through all the way and write up how to do the avg-per-day. I've updated the answer.

0 Karma

pavanae
Builder

And How to calculate average(mb) for the past 7 days?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...