Dear All,
I've got a problem with a Splunk search. I'd like to compare the last 24 h number of sent mail with the daily average of the last month.
The search that I'm using is the following:
sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=24h _time | timechart span=24h count | stats last(count) as today_count avg(count) as avg_count
The problem is that this search compare the average with the count of the event from 00.00 of the last day to the NOW time.
My will is to compare the NOW-1d count with the average. Is it possible? Regards
sourcetype="sophos" pmx_action="keep" fur!="none"
earliest=-30d@d latest=@d | stats count as dailyCount by date_mday | stats avg(dailyCount) as monthlyAvg |
join [search
sourcetype="sophos" pmx_action="keep" fur!="none"
earliest=-24h@h latest=@h | stats count as todayCount ]
This search gives 2 results: monthlyAvg and todayCount