Solved: Is it possible to show a column chart of the avera...

cmeyers · ‎02-19-2016

I apologize if this as been asked before. The examples I have found are a bit too much, as what I want to achieve is hopefully simple.

I would like to show a column graph showing the average amount of logs received by hour over the last 7 days. The graph needs to have 24 hours as columns and their average count by hour over 7 days. So my search is as simple as:

device_type=firewall | timechart span=1h ?

Do you do a timechart with a span of 1h to get the hourly averages over the several days? I am not sure how to average them from there. Do I need a query for each hour of the day? I would assume I would have the search time going back as far as I want the log average to be effected by.

Any help would be appreciated!

somesoni2 · ‎02-19-2016

Try something like this (assuming you want avg count for that hour for x days).

device_type=firewall | timechart span=1h count | eval Hour=strftime(_time,"%H:%M") | stats avg(count) as Avg_count by Hour

So if for past 7 days, the count for hour 10:00 is 1,2,3,4,5,6 and 7 then Avg_count for 10:00 should be 4.

View solution in original post

somesoni2 · ‎02-19-2016

Try something like this (assuming you want avg count for that hour for x days).

device_type=firewall | timechart span=1h count | eval Hour=strftime(_time,"%H:%M") | stats avg(count) as Avg_count by Hour

So if for past 7 days, the count for hour 10:00 is 1,2,3,4,5,6 and 7 then Avg_count for 10:00 should be 4.

Is it possible to show a column chart of the average log count per hour over several days?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability