Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting an event and then averaging it over a month

scornell2
Engager
‎03-13-2018 08:25 AM

Hello I'm very new to Splunk and have so far been consuming data as .csv files in order to test things out.

I have two main fields; USER_NAME and USER_NBR which are tied together to use (I have a SUBMIT_DATE one as well formatted in %d-%b-%y form). A User can submit multiple jobs in a day and the architects want a Daily Total by User Name and ID and a Monthly Average by User Name and ID in order to have a comparison to determine if they users are deviating over their norm.

The Daily Count was easy (index="03122018" | stats count as "User Submits" by USER_NBR, USER_NAME) however I cannot figure how to create a query that will count the events and average them over the month.

I want to stay away from a subsearch as I think that will add to much overhead to the search and I'm confident that the eval command is my answer but after bashing my head unsuccessfully against SPL for the last day I'm not grasping the answer.

Anything anyone can do to help would be greatly appreciated, thanks for reading.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-13-2018 09:43 AM

Here's the general approach I'd take:
Gather all events from the last 30 days in the base search

index="03122018" earliest=-30d@d latest=now

Using stats, count the number of events today and also count the number of events over the last 30 days by USER_NBR, USER_NAME

| stats count AS Monthly_Submits, count(eval(SUBMIT_DATE>=strftime(relative_time(now(), "@d"), "%d-%b-%y"))) AS Today_Submits BY USER_NBR, USER_NAME

Note that if you'd like to change "Today" to "Yesterday", for example, you'd change the "@d" value inside the relative_time function to "-1d@d". You can use any of the relative time modifiers here.

Calculate monthly average by dividing Monthly_Submits by 30

| eval Average_Submits=Monthly_Submits/30

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-13-2018 09:43 AM

Here's the general approach I'd take:
Gather all events from the last 30 days in the base search

index="03122018" earliest=-30d@d latest=now

Using stats, count the number of events today and also count the number of events over the last 30 days by USER_NBR, USER_NAME

| stats count AS Monthly_Submits, count(eval(SUBMIT_DATE>=strftime(relative_time(now(), "@d"), "%d-%b-%y"))) AS Today_Submits BY USER_NBR, USER_NAME

Note that if you'd like to change "Today" to "Yesterday", for example, you'd change the "@d" value inside the relative_time function to "-1d@d". You can use any of the relative time modifiers here.

Calculate monthly average by dividing Monthly_Submits by 30

| eval Average_Submits=Monthly_Submits/30
Reply
Solved! Jump to solution

scornell2
Engager
‎03-13-2018 10:03 AM

Thank you very much this was exactly what I was looking for. Now I will dive into how this works.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎03-13-2018 11:59 AM

You're welcome. Now that I'm looking back, I see I forgot the BY clause in the stats call. I'm going to update the post to fix that.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...