Alerting

How to write a rex to get daily average for time range?

sphiwee
Contributor

| rex "^(?\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?[^\]]*)\]\s*\[(?[^\]]*)\]\s*\[(?[^\]]*)\]\s*[^\[]+\s\[(?[^\]]+)" | search Log_level="ERROR" | where Process != "" | stats count AS ERRORS by Process | sort - count asc

 

 

i have above query to help get ERROR count of our processes, but I want to get the daily average of the number of errors generated by each process between a certain time interval.. lets say from 6am to 6pm from monday to friday, How can I achieve this

Labels (1)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not entirely clear what this search is doing. For example, the rex is not extracting any fields.

Assuming you have _time extracted correctly, you can determine the hour, restrict that to 6am to 6pm, then count by day and process

| search Log_level="ERROR"
| where Process != ""
| eval hour=strftime(_time,"%H")
| where hour >= 6 AND hour < 18
| eval day=strftime(_time,"%w")
| where day >= 1 AND day <= 5
| bin _time span=1d
| stats count AS ERRORS by _time Process
| sort 0 _time count

sphiwee
Contributor

Hi thanks, but this query only brings back total results per process and not the average

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats avg(ERRORS) by Process
0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...