Splunk Search

How to search the average number of events per day by severity?

502087470
New Member

I have a macro that breaks out events by severity. I am trying to look at the average number of events by severity averaged for each day of the week and each hour. I'm using the following and it is breaking out events by severity but not populating the average number events for each day of the week and I'm missing the hour of each day of the week.

| bucket _time span=1d
| eval DayOfWeek=strftime(_time, "%a")
| stats avg(severity) AS Avg by DayOfWeek, severity

My results are:

DayOfWeek   severity         Avg
Wed       high   
Wed       informational  
Wed       low    
Wed       medium     
Wed       info   
Wed       critical   
Tue       critical ...

I'm looking for:

Day of week    hour     severity     average # events
Mon            12:00    critical     200
Mon            1:00     critical     50 
Mon            .....
Tues           12:00    high         50
Tues           1:00     high         25
Tues           2:00     high         15
0 Karma

sundareshr
Legend

Try this

| bucket _time span=1h
| eval DayOfWeek=strftime(_time, "%a %H:%M")
| stats avg(severity) AS Avg by DayOfWeek, severity

And, if you want to split DoW & Hour, you can add this to the end

... | rex field=DayOfWeek "(?<DayOfWeek>\w{3})\s(?<Hour>.*)" | table DayOfWeek Hour severity Avg
0 Karma

502087470
New Member

That gets me closer but doesn't break out each severity per hour, per day, average. It still doesn't populate the average number of events and I can't seem to figure out why.

0 Karma
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...