Solved: How can I perform a count and then average that co...

rcarmack1 · ‎07-26-2018

I am investigating failed logins. I need to perform a count of all failed logins by user, take an average of that count, and then only show results that are higher than the average.

index=windows fail*
| stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
| *Need to Average the count here*
| convert ctime("Earliest Failure") ctime("Latest Failure")
| where count > *Average*
| table user "Earliest Failure" "Latest Failure" count 
| sort -count

Thanks in advance!

kmaron · ‎07-26-2018

try just adding an eventstats

 index=windows fail*
 | stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
 | eventstats avg(count) as "Average"
 | convert ctime("Earliest Failure") ctime("Latest Failure")
 | where count > Average
 | table user "Earliest Failure" "Latest Failure" count 
 | sort -count

View solution in original post

kmaron · ‎07-26-2018

try just adding an eventstats

 index=windows fail*
 | stats earliest(_time) as "Earliest Failure", latest(_time) as "Latest Failure", count by user 
 | eventstats avg(count) as "Average"
 | convert ctime("Earliest Failure") ctime("Latest Failure")
 | where count > Average
 | table user "Earliest Failure" "Latest Failure" count 
 | sort -count

rcarmack1 · ‎07-26-2018

Perfect! Thank you!

How can I perform a count and then average that count?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!