Splunk Query to show average count and minimum for...

Strangertinz · ‎02-12-2024

Hi,

I created a column chart in Splunk that shows month but will like to also indicate the day of the week for each of those months

Sample query
-------------------
index=_internal
| bucket _time span =1d
|eval month=strftime(_time,"%b")
| eval day=strftime(_time,"%a")
| stats avg(count) as Count max(count) as maximum by month, day

gcusello · ‎02-12-2024

Hi @Strangertinz,

your search seems to be correct, what's your issue?

Ciao.

Giuseppe

Strangertinz · ‎02-13-2024

The issue is the graph shows month on the x axis and I want it to indicate both month and day of the week

gcusello · ‎02-13-2024

Hi @Strangertinz ,

please try this:

index=_internal
| bucket _time span =1d
| eval date=strftime(_time,"%a-%b")
| stats avg(count) as Count max(count) as maximum by date

Ciao.

Giuseppe

Strangertinz · ‎02-13-2024

Thanks for your quick response but the query is not working

gcusello · ‎02-13-2024

Hi @Strangertinz ,

sorry but what do you want to calculate with avg(count) and max(count)?

count isn't a field to calculate average or maximun.
you can have the count of events by period

index=_internal
| bucket _time span =1d
| eval date=strftime(_time,"%a-%b")
| stats count by date

Ciao.

Giuseppe

Strangertinz · ‎02-13-2024

I want to calculate average count per day and maximum count per month. Like all the Mondays , Tuesdays of a given month combined and averaged

Splunk Query to show average count and minimum for date_month and date_day

chart

count

eval

stats

table

timechart

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...