Splunk Search

How to calculate Average and Peak day for last 3 months

Shashank_87
Explorer

Hi, Is there a simple query to calculate the average and peak day count for last 3 months? For example let's say 3 months are Feb, March, April what i am looking for is -

Average count per day for 3 months. I mean what is the average and peak in Feb then what is the average and peak in March etc.

index=temp_env sourcetype=access_combined 
| bucket _time span=1d
| stats count by _time
| stats avg(count) as AverageCountPerDay by date_month

The above query is not giving any results. Any ideas?

0 Karma

skoelpin
SplunkTrust
SplunkTrust
index=temp_env sourcetype=access_combined earliest=-4mon latest=@m
 | bucket _time span=1mon
 | stats count by _time
 | eval date_month=strftime(_time, "%b")
 | eval date_day=strftime(_time, "%a")
 | stats avg(count) as AverageCountPerDay max(count) AS Peak_Per_Month by date_month, date_day

Try this, it will give you the max peak per month and day along with the average count per day and month. It's got a 4 month look back so it may get expensive to run. You may want to consider using metasearch or tstats for faster search speeds

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...