Hello,
Sorry for may what be an easy question, I have been searching for hours to find a solution to my problem. I have an audit log which I want to get the average number for every "action" performed in an hour since logging began. There are a number of possible actions, for example, search, edit, delete.
An example log looks like this:
timestamp=04-04-2018 19:42:35.072, user=admin, action=search
timestamp=04-04-2018 19:43:35.075, user=admin, action=edit
timestamp=04-04-2018 19:44:35.071, user=admin, action=delete
timestamp=04-04-2018 19:44:37.072, user=admin, action=search
I want the table output to look like this:
Action Total_Average_Per_Hour
Search 6
Edit 3
Delete 2
Assuming your logs are formatted exactly as posted, this should do it for you:
|eval time=strptime(timestamp, "%m-%d-%Y %H")
| stats count by action, time
| stats avg(count) AS Total_Average_Per_Hour by action
It parses the timestamp with granularity down to the hour, counts the number of events per [action:hour] pairing, then calculates the average per action.
Thank you! That seems to be working.
Yup! Sure is.