Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Columns split by Sum and Average over _time

glancaster
Path Finder
‎05-30-2014 07:28 AM

Hello all,

I am having a terrible time trying to get this logic correct and maybe someone can chime in to help a bit.

I would like the sum of searches per day of all users split by the avg number of searches by user over 90 days but I can't seem to work it out just right. I am able to post the average of the total search across the chart but not the daily average. 

index=_audit host=search-* earliest=-90d latest=-1d  search_id!=scheduler_* 
| bucket _time span=1d 
|stats count by _time 
| eventstats avg(count) as SearchAVG

Any help is appreciated. Thank you!

https://drive.google.com/file/d/0B7c2Ap0cICFka243RFlqeTVRVlU/edit?usp=sharing

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-30-2014 07:55 AM

Try this

index=_audit host=search-* earliest=-90d latest=-1d  search_id!=scheduler_* 
| bucket _time span=1d 
    |stats count by _time,user 
    |stats sum(count) as TotalSearches, avg(count) by _time

This gives total search count (from all users) and daily average (for all user, total searches that day divided by total users that day).

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-30-2014 07:55 AM

Try this

index=_audit host=search-* earliest=-90d latest=-1d  search_id!=scheduler_* 
| bucket _time span=1d 
    |stats count by _time,user 
    |stats sum(count) as TotalSearches, avg(count) by _time

This gives total search count (from all users) and daily average (for all user, total searches that day divided by total users that day).

Reply
Solved! Jump to solution

glancaster
Path Finder
‎05-30-2014 08:46 AM

This worked exactly like I needed! Here is what I ended up with:

index=audit host=search-* earliest=-90d latest=-1d |search search_id=scheduler* | timechart dc(search_id) AS SchedSearches span=1d| appendcols [search index=audit host=search-* earliest=-90d latest=-1d search_id=scheduler* user=* | bucket _time span=1d |stats count by _time, user |timechart avg(count) as "AVG Search Head Usage"]

Do you know how I could ask to forget any users who did not have more than 5 searches that day? I tried adding in

|stats count by user
|search count > 5

but thats yielded no results.

Cheers!

0 Karma
Reply
Solved! Jump to solution

glancaster
Path Finder
‎05-30-2014 07:52 AM

_time, TotalSearches and AvgSearches (of all users) - all per day.

a graph over time with columns split by Total Searches per day and the Avg Searches by all users per day.

The part I can't work out is the avg of the dc(search_id) by users per day.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-30-2014 07:47 AM

What is the expected output?
_time...TotalSearches...AvgSearch

OR

_time...TotalSearches...AvgSearchUser1...AvgSearchUser2...

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...