Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Average Failed Logins by Day of Week For Last 90 Days

SplunkLunk
Path Finder
‎09-14-2020 08:36 AM

Greetings,

The search I am using currently is giving me the total number of failed logins by day of the week for the last 90 days:

| base search event="login_fail"
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count by weekday
| stats avg(count) by weekday

The problem is I want to find the daily average number of failed logins for the last 90 days.  For example, in the search above is shows a total of 625 failed logins for Fridays.  The last line of the search isn't providing any value so it's not needed.  Is there a way to modify my search to get that average number instead of the total count for Fridays?  For example, since there are ~12 Fridays over the last 90 days that would come out to ~52 failed logins on Fridays (12 * 52 is where I get the 625).    Thanks for any help.

Labels (2)
Labels
0 Karma
Reply

danielansell
Path Finder
‎09-15-2020 08:50 AM

Try this:

| base search event="login_fail"
| eval weekday=strftime(_time,"%A"), date=strftime(_time,"%x")
| stats count by date, weekday
| stats avg(count) by weekday

0 Karma
Reply

SplunkLunk
Path Finder
‎09-14-2020 10:53 AM

I want to do what the person in this old post tried to do but the solution there isn't working for me:

https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2020 09:01 AM

Try this variation of your query.

base search
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count, dc(date_mday) as days by weekday
| eval avg=count/days
| table weekday avg
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SplunkLunk
Path Finder
‎09-14-2020 09:02 AM

Thanks for the response.  But that search doesn't produce any results in the "avg" column.  It's blank.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-14-2020 02:19 PM

Hi

can you check your base search as this is working for me

index=_internal earliest=-1mon
| bin _time as date span=1d
| eval weekday=strftime(_time, "%A")
| stats count, dc(date_mday) as days by weekday
| eval avg=count/days
| table weekday avg
0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...