How to calculate average for several prior observa...

samjone · ‎04-27-2017

Lets say, i have a requirement to show hourly count of payments in a timechart-
And lets say today is Monday.

I will do-

index=payments sourcetype=xyz|timechart span=1h count

Now, i need to show comparative analysis to show how count of payments being observed today at every hourly interval trend up against previous 2 weeks Monday's. So basically additional comparison line showing average of data from previous 2 Mondays for the same time interval.

Eg- Today- Monday number of payments at 10am were 100.
Last week monday, number of payments at 10am were 50
Prior to that week Monday, number of payments at 10am were 10

So, value of 100 should show up in todays line chart and average of 50 and 10...which is 50+10/2=30 should up in second line on the same chart.

And this thing to be done for entire full day.(on hourly basis)

how to do, please advise, Thank you !

dineshraj9 · ‎04-27-2017

Try below logic -

index=payments sourcetype=xyz earliest=@d latest=now | eval day="today" | timechart span=1h count by day 
| append [ search index=payments sourcetype=xyz earliest=-7d latest=-6d | eval day="last week" | eval _time=_time + 604800 |timechart span=1h count by day ] 
| append [ search index=payments sourcetype=xyz earliest=-14d latest=-13d | eval day="2 weeks back" | eval _time=_time + 604800 * 2 |timechart span=1h count by day ]

How to calculate average for several prior observations and compare that to the current observation?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life