Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find difference between (Today's logins) and (Average logins of that particular week day for last 30days) by hour?

sai_john
New Member
‎04-15-2018 09:48 PM

I need to calculate difference between (TodayLogins-AverageLogins of that particular weekday). For that I have calculated Today's logins and (Average logins of all weekdays for last 30days) by hour separately by below searches and joined results of both using join.Can someone help with correctness of below search?
Here is the search i am trying to get difference:

index="_internal" "login" earliest=-30d |search id=""| eval time_hour = strftime(_time, "%H") |eval DayOfWeek = strftime(now(),"%w") | stats dc(id) AS "Total_Login" by time_hour, DayOfWeek| chart avg(Total_Login) AS AverageLogins over time_hour by DayOfWeek limit=0 | table time_hour AverageLogins
|join time_hour [search index="_internal" "*login" earliest=-24h |search id="*" | eval time_hour = strftime(_time, "%H") |eval DayOfWeek = strftime(_time,"%w") |stats dc(id) AS "TodayLogins" by time_hour, DayOfWeek |chart values(TodayLogins) AS TodayLogins by time_hour limit=0 |table time_hour TodayLogins] |eval Diff=(TodayLogins-AverageLogins) | table time_hour TodayLogins AverageLogins Diff

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎05-11-2018 11:33 AM

hello there,

try this search out:
from answer by @HeinzWaescher
https://answers.splunk.com/answers/253934/compare-result-to-other-results-on-same-day-of-the.html
index="_internal" "login"
| bucket _time span=1d
| stats count as Total_Logins by _time host
| sort 1-_time
| eval weekday=strftime(_time,"%a")
| eval today=strftime(now(), "%a")
| eval sameDay=if(today=weekday,1,0)
| search sameDay=1
| streamstats avg(Total_Logins) AS avg BY host
| streamstats current=f global=f window=1 latest(avg) as last_avg by host

see screenshot:
alt text

hope it helps

Preview file
1 KB
0 Karma
Reply

deepashri_123
Motivator
‎04-16-2018 02:37 AM

Hey@sai_john,

Can you try something like this

index="_internal" "login" earliest=-30d|search id="" |stats dc(id) AS "Total_Login" by date_hour, date_wday|chart avg(Total_Login) AS AverageLogins over date_hour by date_wday limit=0 | table date_hour AverageLogins |join date_hour [search index="_internal" "login" earliest=-24h |search id="" | stats dc(id) AS "TodayLogins" by date_hour, date_wday |chart values(TodayLogins) AS TodayLogins by date_hour limit=0 |table date_hour TodayLogins] |eval Diff=(TodayLogins-AverageLogins) | table date_hour TodayLogins AverageLogins Diff

Let me know if this helps!!

0 Karma
Reply

sai_john
New Member
‎04-17-2018 01:46 PM

I have noticed that average logins are not pulled up with correct results. i am looking to to get average of that particular day for last 30 days. for suppose, if you run the search on Monday, you need to get average of all mondays within last 30 days.
Is there a way to get correct average for only weekdays and then get difference with above search?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...