- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you find the average count within a tim...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you find the average count within a time range?
I have the following search that shows users who are continuously being infected over a 30 day period:
index=foo
| stats count range(_time) as TimeRange by user src app app:category app:subcategory threat url
| where TimeRange>1800
| where NOT zone="null"
| eval TimeRange_In_Hours = round(TimeRange/3600,2), TimeRange_In_Days = round(TimeRange/3600/24,2)
is it possible to show the avg count within the time range being returned per user?
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What average do you want to calculate?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If possible, the avg hits within the TimeRange_In_Hours
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So avg number of hits per hour? If count is the total number of hits, just do | eval avg_hits = count / TimeRange_In_Hours. Or am I not understanding your objective?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was it - I was overthinking the issue when it ended being very simple
Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we have some sample output, with example/dummy data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure thing:
user src app app:category app:subcategory threat url count TimeRange TimeRange_In_Days TimeRange_In_Hours
jdoe x.x.x.x web-browsing general-internet internet-utility Virus/Win32.WGeneric.pppda(195251778) AliMiserUpdate.exe 4 2703 0.03 0.75
msmith x.x.x.x web-browsing general-internet internet-utility Virus/Win32.WGeneric.pppda(195251778) AliMiserUpdate.exe 7 7931 0.09 2.2
rjones x.x.x.x web-browsing general-internet internet-utility Generic User-Agent Traffic(10015) www.cnki.net/elearning/JournalMgr/JConfig.ini 3 23714 0.27 6.59
mhammer x.x.x.x web-browsing general-internet internet-utility Veil-Evasion Payload Detected(39480) openblas_warpper.dll 13 5853 0.07 1.63
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
