How to write a rex to get daily average for time r...

sphiwee · ‎08-01-2022

| rex "^(?\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?[^\]]*)\]\s*\[(?[^\]]*)\]\s*\[(?[^\]]*)\]\s*[^\[]+\s\[(?[^\]]+)" | search Log_level="ERROR" | where Process != "" | stats count AS ERRORS by Process | sort - count asc

i have above query to help get ERROR count of our processes, but I want to get the daily average of the number of errors generated by each process between a certain time interval.. lets say from 6am to 6pm from monday to friday, How can I achieve this

ITWhisperer · ‎08-01-2022

It is not entirely clear what this search is doing. For example, the rex is not extracting any fields.

Assuming you have _time extracted correctly, you can determine the hour, restrict that to 6am to 6pm, then count by day and process

| search Log_level="ERROR"
| where Process != ""
| eval hour=strftime(_time,"%H")
| where hour >= 6 AND hour < 18
| eval day=strftime(_time,"%w")
| where day >= 1 AND day <= 5
| bin _time span=1d
| stats count AS ERRORS by _time Process
| sort 0 _time count

sphiwee · ‎08-01-2022

Hi thanks, but this query only brings back total results per process and not the average

ITWhisperer · ‎08-01-2022

| stats avg(ERRORS) by Process

How to write a rex to get daily average for time range?

other

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...