Answers for "how to calculate the average of my search result for past 7 days. Also how can i make my result to display in timechart for 7 days?"
https://answers.splunk.com/answers/456561/how-to-calculate-the-average-of-my-search-result-f.html
The latest answers for the question "how to calculate the average of my search result for past 7 days. Also how can i make my result to display in timechart for 7 days?"Answer by sideview
https://answers.splunk.com/answering/456562/view.html
Try this - Here I'm just replacing `stats sum(b)` with `timechart span=1d sum(b)`. When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)
field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)
UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:
earliest: -7d@d
latest: @d
That will run precisely a 7 day timerange.
Then you can calculate the average fo those just by tacking on an extra
| stats avg(mb) as MB avg(gb) as GBMon, 03 Oct 2016 19:48:52 GMTsideview