Comments and answers for "how to calculate the average of my search result for past 7 days. Also how can i make my result to display in timechart for 7 days?"
https://answers.splunk.com/answers/456561/how-to-calculate-the-average-of-my-search-result-f.html
The latest comments and answers for the question "how to calculate the average of my search result for past 7 days. Also how can i make my result to display in timechart for 7 days?"Comment by sideview on sideview's comment
https://answers.splunk.com/comments/456566/view.html
D'oh - thanks somesoni2. I neglected to follow through all the way and write up how to do the avg-per-day. I've updated the answer.Mon, 03 Oct 2016 20:07:13 GMTsideviewComment by somesoni2 on somesoni2's answer
https://answers.splunk.com/comments/456564/view.html
Just add " `| eventstats avg(gb) as Avg` " at the end for the average for that time period.Mon, 03 Oct 2016 20:00:00 GMTsomesoni2Comment by pavanae on pavanae's answer
https://answers.splunk.com/comments/456563/view.html
And How to calculate average(mb) for the past 7 days?Mon, 03 Oct 2016 19:58:43 GMTpavanaeAnswer by sideview
https://answers.splunk.com/answering/456562/view.html
Try this - Here I'm just replacing `stats sum(b)` with `timechart span=1d sum(b)`. When run over a 7 day timerange, instead of one row in your search result you'll get 7 (or more generally 8, since there's part of today as well as part of 8 days ago in a 7 day timerange)
field_id="X" | eval b=len(_raw) | timechart span=1d sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2)
UPDATE:
(sorry for forgetting the 'avg per day' bit) - you then want to calculate what the average is per day, but first of all I would make sure that your timerange is very precise about what days are being searched. The default "Last 7 days" timerange is from -7d@h to now. However this will include today up to the current time, which is bad, and also a little slice of the day that was exactly one week ago. Instead you should use the "Advanced" part of the time range picker to run this timerange:
earliest: -7d@d
latest: @d
That will run precisely a 7 day timerange.
Then you can calculate the average fo those just by tacking on an extra
| stats avg(mb) as MB avg(gb) as GBMon, 03 Oct 2016 19:48:52 GMTsideview