How to search the average number of events per day...

502087470 · ‎06-24-2016

I have a macro that breaks out events by severity. I am trying to look at the average number of events by severity averaged for each day of the week and each hour. I'm using the following and it is breaking out events by severity but not populating the average number events for each day of the week and I'm missing the hour of each day of the week.

| bucket _time span=1d
| eval DayOfWeek=strftime(_time, "%a")
| stats avg(severity) AS Avg by DayOfWeek, severity

My results are:

DayOfWeek   severity         Avg
Wed       high   
Wed       informational  
Wed       low    
Wed       medium     
Wed       info   
Wed       critical   
Tue       critical ...

I'm looking for:

Day of week    hour     severity     average # events
Mon            12:00    critical     200
Mon            1:00     critical     50 
Mon            .....
Tues           12:00    high         50
Tues           1:00     high         25
Tues           2:00     high         15

sundareshr · ‎06-24-2016

Try this

| bucket _time span=1h
| eval DayOfWeek=strftime(_time, "%a %H:%M")
| stats avg(severity) AS Avg by DayOfWeek, severity

And, if you want to split DoW & Hour, you can add this to the end

... | rex field=DayOfWeek "(?<DayOfWeek>\w{3})\s(?<Hour>.*)" | table DayOfWeek Hour severity Avg

502087470 · ‎06-24-2016

That gets me closer but doesn't break out each severity per hour, per day, average. It still doesn't populate the average number of events and I can't seem to figure out why.

How to search the average number of events per day by severity?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!