Splunk Search

How to create a string that produce a weeks worth of averages?

reverse
Contributor

How would I create a result like below: in avg(v2) of Last week and avg(v2) of current week
Please guide.
Thanks.

    date          v1       v2
    05-22-2019  22.1     4
    05-22-2019  22.38   1
    05-23-2019  22.46   0.4
    05-24-2019  23.02   2.5
    05-24-2019  23.26   1.0
    05-25-2019  23.46    0.86
    05-27-2019  23.5     0.17
    05-28-2019  24.09   3
    05-30-2019  24.79   2.9
    05-30-2019  25.1     1
    05-31-2019  25.45   1
    06-01-2019  25.8     1
    06-02-2019  25.84   0.16
0 Karma
1 Solution

Vijeta
Influencer

@reverse- You can try below

<your search> | eval new_date=strptime(date,"%m-%d-%Y")| eval week=strftime(new_date,"%U") | eventstats avg(v2) as average_v2 by week

View solution in original post

Vijeta
Influencer

@reverse- You can try below

<your search> | eval new_date=strptime(date,"%m-%d-%Y")| eval week=strftime(new_date,"%U") | eventstats avg(v2) as average_v2 by week

aromanauskas
Path Finder

You need to pull the week number out of the date.

| eval week_number=strftime(date,"%W")

If you then want to calculate the results for the current vs other weeks you can do some other evals such as

|eval this_week_number=strftime(now(),"%W") | eval weeks_ago=this_week_number - week_number

Need more information to determine how you would want the stats to look.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...