Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

AVG of Size by day

pinzer
Path Finder
‎11-08-2010 11:48 AM

Hi all, i need to take the avg of Size by day.

sourcetype="sophos" pmx_action="keep" fur!="none"| bucket _time span=1d | timechart span=1d sum(Size) as sum_size | stats last(sum_size) as today_count avg(sum_size) as avg_size

How can i take the avg_size value correctly?

I do not have to take the avg of the daily values but the avg of the daily sum in the month. Thanks a lot

Tags (1)
0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎11-08-2010 03:42 PM

It sounds like you should be creating a daily summary and then searching against that result at the end of the monthly period. We call this summary indexing in Splunk terms. Since you need to store the actual daily sum on a daily basis, you really want to be creating your daily average against those result sets. See the docs for more information on how to do this:

http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...