- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- avg of number of events by day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, i need to search the average number from the count by day of an event.
for example if i have 3 5 and 4 events in three different days i need the average that is 4.
the eventtype is
eventtype="searchAccountLocked"
i need also to use rangemap in my search...to control if the number of events of today is higher than the average. I'm using this search queri that doesn't work
eventtype="searchAccountLocked" | stats count as count2 | timechart span=1d count | stats avg(count) |rangemap field=count2 green=1-count2 red=count2-50000 default=gray
please help me! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype="searchAccountLocked" | timechart span=1d count | stats avg(count)
or
eventtype="searchAccountLocked" | bucket span=1d _time | stats count by _time | stats avg(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You won't be able to use the rangemap command for this purpose. But you can use the eval command to do so:
eventtype="searchAccountLocked" | timechart span=1d count | stats last(count) as today_count avg(count) as avg_count | eval range=if(today_count>avg_count, "red", "green")
Documentation on the eval command: http://www.splunk.com/base/Documentation/latest/SearchReference/Eval
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! thanks a lot! Really good work!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype="searchAccountLocked" | timechart span=1d count | stats avg(count)
or
eventtype="searchAccountLocked" | bucket span=1d _time | stats count by _time | stats avg(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've added a separate answer for the solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i need also to use rangemap in my search...to control if the number of events of today is higher than the average. I'm using this search queri that doesn't work
eventtype="searchAccountLocked" | stats count as count2 | timechart span=1d count | stats avg(count) |rangemap field=count2 green=1-count2 red=count2-50000 default=gray
please help me! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks a lot! Good work!
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
